Represent the data as a table. Specify a list of fields to select. Columns in the table are sorted in the specified field order. This is an aggregate function and it will limit the number of events returned using the limit parameter. It is possible to specify how the table is sorted using the field parameter. (See select() function for similar tabular output, that does not limit the number of events returned and does not sort the result and is thus better suited for exporting large mount of data to a file)
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| fields | [string] | Yes | The names of the fields to select. | |
| sortby | [string] | No | @timestamp | Names of fields to sort by. |
| type | [string] | No | any | Type of the fields to sort. Can be any, string, number, or hex. |
| reverse | bool | No | Whether to sort in descending order. Deprecated: prefer order instead | |
| order | [string] | No | Order to sort in. Can be any prefix of ascending or descending. descending is default. | |
| limit | number | No | Limit result size. If no limit is specified a default limit of 200 is used |
fields is the unnamed parameter.
Look at HTTP GET methods and create a table with the fields statuscode and responsetime
method=GET | table([statuscode, responsetime])
Show the name and responsetime of the 50 slowest requests
table([name, responsetime], sortby=respsonetime, reverse=true)