Specify a set of fields to select from each event. You most likely want to use the table() function instead. Table is an aggregate function that can also sort events while limiting the number of events.
A use-case for select is when you want to export a few fields from a large number of events into e.g. a CSV file. When viewed in the UI, you get the latest 200 events, but when exporting the result, you get all matching events.
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| fields | [string] | Yes | The names of the fields to keep. |
fields is the unnamed parameter.
Look at HTTP GET methods and create a unsorted table with the fields statuscode and responsetime
method=GET | select([statuscode, responsetime])
Get a table of timestamp and rawstring for all events in range. In the humio UI this will get limited to 200 entries, but exporting the result as e.g. CSV will export all matching events in the time window searched.
select([@timestamp, @rawstring])
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| where | [Filter] | Yes | The subquery to execute producing the values to join with | |
| select | [string] | No | Specifies columns to include. Default to none. | |
| collect | [string] | No | Specifies columns to include. Default to none. | |
| field | [string] | Yes | specifies which field in the event (log line) that must match the given column value | |
| limit | number | No | 20000 | specifies the maximum number of rows in the subquery 1..MAX_STATE_LIMIT |
| prefilter | bool | No | false | only pass values matching at least one of the where clauses into the embedded groupby |
| postfilter | bool | No | false | re-run the AND of the where clauses after collating results. If all fields needed for satisfying the where clauses are provided as values for collect, this will eliminate false positives in the output. |
field is the unnamed parameter.
Select emails from an eventstream where each email is split into one event per header, such as the IronPort email log. Here, we find all emails that are from peter to anders.
selfJoin(email_id, where=[{from=*peter*}, {to=*anders*}], collect=[from,to])