table
table
Display specific fields in a tabular format. Control which fields appear in results and their order.
Description
The table command selects which fields to display and in what order. It's useful for creating clean, focused output by removing unnecessary fields and organizing data for readability.
Unlike fields, which includes or excludes fields, table explicitly defines the exact fields and order to display. Any fields not listed are excluded from the output.
Syntax
... | table <field> [as <alias>] [, <field> [as <alias>] ...]Required Arguments
field
One or more field names to display. Fields appear in the order specified.
Optional Arguments
as
Syntax: as <alias>
Description: Display the field with a different name
Example: src_ip as "Source IP"
Examples
Display specific fields
* | table timestamp, user, action, src_ipShows only the specified fields in that order.
Reorder fields
* | table user, src_ip, dest_ip, bytes, timestampDisplays fields in a custom order (not the default order).
With aliases
* | table timestamp as "Time",
user as "Username",
action as "Action",
src_ip as "Source IP"Renames fields for better readability.
After aggregation
* | stats count() as events,
sum(bytes) as total_bytes
by user
| table user, events, total_bytesDisplays aggregated results in a specific order.
Subset of aggregated fields
* | stats count() as events,
dc(src_ip) as unique_ips,
sum(bytes) as bytes,
avg(response_time) as avg_time
by endpoint
| table endpoint, events, avg_timeShows only selected metrics from aggregation.
Clean output for reporting
action=login
| table timestamp, user, src_ip, status, messageCreates a clean login report.
After eval calculations
* | stats sum(bytes_in) as inbound,
sum(bytes_out) as outbound
by src_ip
| eval total = inbound + outbound
| table src_ip, inbound, outbound, totalDisplays calculated fields alongside original data.
Investigation summary
user="john.doe"
| table timestamp, action, src_ip, dest_ip, dest_port, bytesFocused view of user activity.
Alert details
alert_name="Suspicious Activity"
| table timestamp as "Alert Time",
src_ip as "Source",
user as "User",
alert_severity as "Severity",
message as "Details"Formatted alert report with readable column names.
Top users with details
* | stats count() as events,
sum(bytes) as bytes,
dc(dest_ip) as unique_destinations
by user
| sort -events
| head 10
| table user, events, bytes, unique_destinationsTop 10 users with selected metrics.
Network connections
* | dedup src_ip, dest_ip, dest_port
| table src_ip, dest_ip, dest_port, protocol, bytesUnique connections with relevant fields.
File activity
action=file_created OR action=file_modified
| table timestamp, action, file_path, file_hash, user, src_hostFile activity log with key details.
Error analysis
severity=error
| table timestamp, source_type, message, src_host, error_codeError log with diagnostic information.
Minimal output
* | table userShows only the user field.
Combine with head for sampling
* | head 100
| table timestamp, user, actionSample of 100 events with selected fields.
Usage Notes
Field order: Fields appear in the exact order specified in the table command.
Missing fields: If a specified field doesn't exist in an event, it appears as empty/null in the output.
All fields excluded: Only fields listed in table appear in results. All other fields are removed.
Performance: table is lightweight and doesn't impact performance significantly.
vs. fields: Use table when you want to explicitly define output. Use fields when you want to include/exclude fields while keeping others.
Aliases: Aliases only affect display names, not the underlying field names. Subsequent commands must use original field names.
Aggregations: table works well after stats to select which aggregated metrics to display.
Readability: Use aliases with spaces for human-readable reports: as "Source IP Address".
Wildcards: table does not support wildcards. You must explicitly list each field.