Select report columns with | table

Last week custom reports went live. One of the first things you of course want is the ability to select the columns or fields you want in the search results and exports. For that, we now have the keyword table.

Just like in Splunk, you can "pipe" queries in to other commands. For now only the table command is supported. With table you can explicitly select the columns you want in the search results. It works on all queries, including queries with the by keyword. All queries where results are grouped with by will always contain the count per group in the last column (named "count").

Here is an example query to try:

index=websites latest=-7d | table url ip https_status http_status

You can also use | table to select columns in combination with the by keyword in grouped results:

index=hosts by asn | table asn country