table
Contents
table
The table command is similar to the fields command in that it enables you to specify the fields you want to keep in your results. Use table command when you want to retain data purely as a table.
The table command can be used to build a scatter plot to show trends in the relationships between discrete values of your data. Otherwise, you should not use it for charts (such as chart or timechart) because the UI requires the internal fields (which are the fields beginning with an underscore, _*) to render the charts, and the table command strips these fields out of the results by default. Instead, you should use the fields command because it always retains all the internal fields.
Synopsis
Creates a table using only the field names specified.
Syntax
table <wc-field-list>
Arguments
- <wc-field-list>
- Syntax: <wc-field> <wc-field> ...
- Description: A list of field names, can include wildcards.
Description
The table command returns a table formed by only the fields specified in the arguments. Columns are displayed in the same order that fields are specified. Column headers are the field names. Rows are the field values. Each row represents an event.
The table command doesn't let you rename fields, only specify the fields that you want to show in your tabulated results. If you're going to rename a field, do it before piping the results to table.
Examples
Example 1
| This example uses recent (October 11-18, 2010) earthquake data downloaded from the USGS Earthquakes website. The data is a comma separated ASCII text file that contains the source network (Src), ID (Eqid), version, date, location, magnitude, depth (km) and number of reporting stations (NST) for each earthquake over the last 7 days.
Download the text file, M 2.5+ earthquakes, past 7 days, save it as a CSV file, and upload it to Splunk. Splunk should extract the fields automatically. Note that you'll be seeing data from the 7 days previous to your download, so your results will vary from the ones displayed below. |
Search for recent earthquakes in and around California and display only the time of the quake (Datetime), where it occurred (Region), and the quake's magnitude (Magnitude) and depth (Depth).
source="eqs7day-M1.csv" Region=*California | table Datetime, Region, Magnitude, DepthThis simply reformats your events into a table and displays only the fields that you specified as arguments.
Example 2
| This example uses recent (October 11-18, 2010) earthquake data downloaded from the USGS Earthquakes website. The data is a comma separated ASCII text file that contains the source network (Src), ID (Eqid), version, date, location, magnitude, depth (km) and number of reporting stations (NST) for each earthquake over the last 7 days.
Download the text file, M 2.5+ earthquakes, past 7 days, save it as a CSV file, and upload it to Splunk. Splunk should extract the fields automatically. Note that you'll be seeing data from the 7 days previous to your download, so your results will vary from the ones displayed below. |
Show the date, time, coordinates, and magnitude of each recent earthquake in Northern California.
source="eqs7day-M1.csv" Region="Northern California" | rename Lat AS Latitude, Lon AS Longitude | table Datetime, L*, MagnitudeThis example begins with a search for all recent earthquakes in Northern California (Region="Northern California").
Then it pipes these events into the rename command to change the names of the coordinate fields, from Lat and Lon to Latitude and Longitude. (The table command doesn't let you rename or reformat fields, only specify the fields that you want to show in your tabulated results.)
Finally, it pipes the results into the table command and specifies both coordinate fields with L*, the magnitude with Magnitude, and the date and time with Datetime.
This example just illustrates how the table command syntax allows you to specify multiple fields using the asterisk wildcard.
Example 3
| This example uses the sample dataset from the tutorial but should work with any format of Apache Web access log. Download the data set from this topic in the tutorial and follow the instructions to upload it to Splunk. Then, run this search using the time range, All time. |
Search for IP addresses and classify the network they belong to.
sourcetype=access_* | dedup clientip | eval network=if(cidrmatch("192.0.0.0/16", clientip), "local", "other") | table clientip, networkThis example searches for Web access data and uses the dedup command to remove duplicate values of the IP addresses (clientip) that access the server. These results are piped into the eval command, which uses the cidrmatch() function to compare the IP addresses to a subnet range (192.0.0.0/16). This search also uses the if() function, which says that if the value of clientip falls in the subnet range, then network is given the value local. Otherwise, network=other.
The results are then piped into the table command to show only the distinct IP addresses (clientip) and the network classification (network):
More examples
Example 1: Create a table for fields foo, bar, then all fields that start with 'baz'.
... | table foo bar baz*See Also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the table command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.