The Table widget displays data in rows and columns.
The result of any Humio query can be displayed in a table. It is best used with output that has a limited and predefined number of fields, unlike for instance raw events which can produce a huge number of columns and slow down the UI.
The table widget is best used with aggregate functions like
can help sort the columns
since fields and columns will be displayed in the order that they are provided to the function.
Assume we have a service producing logs like the ones below:
2018-10-10T01:10:11.322Z [ERROR] Invalid User ID. errorID=2, userId=10 2018-10-10T01:10:12.172Z [WARN] Low Disk Space. 2018-10-10T01:10:14.122Z [ERROR] Invalid User ID. errorID=2, userId=11 2018-10-10T01:10:15.312Z [ERROR] Connection Dropped. errorID=112 server=188.8.131.52 2018-10-10T01:10:16.912Z [INFO] User Login. userId=11
We want to figure out which errors occur most often and show them in a table on one of our dashboards.
We can do a query like:
loglevel = ERROR | groupBy(errorID, function=[count(as=Count), collect(message)]) | rename(errorID, as="Error ID") | table(["Error ID", message])
counting the number of errors bucketed by their
errorId. Since we also
want to show a human readable message in the table and not just the ID,
we include the function
which ensures that the value
message field makes it through the
groupBy phase (which otherwise only
includes the series field (
errorId) and the result of the aggregate function (
Since we want our table to look nice on the dashboard, we rename the
Error ID as this will be the header in our table.
Finally, we use the
function to ensure the order of the columns.