table search command

This search command extracts fields from events with information in a tabular format. A new event is created for each table row. Field names are derived from the title row of the table. Optionally, you can specify a list of fields that you want to further extract and keep from the given list of all fields. You can also filter search results to keep records that match the specified filter criteria.

If you do not specify fields, all fields extracted are displayed. Furthermore, if you do not specify a filter criterion, all data extracted is displayed along with the extracted fields.

This topic contains the following information:

For a list of all search commands, see Search-commands.

Related topics

fields-search-command

Getting-started-with-search

Syntax

table [fields <field-list>+] [filter <filter-criterion>+]

In the preceding syntax,the following definitions apply:

  • + indicates one or more similar expressions separated by a comma (,) or space.
  • [expression] indicates it is optional.
  • <field-list> refers to a list of space-separated fields that you want to keep in the search results. This parameter is optional.
  • <filter-criterion> refers to a list of space-separated values (data entry) by which you want to filter, to show in the search results. This parameter is optional.

Short examples

Example 1: Extract the column headings that appear in the raw data as fields and create a new data entry for each row.

... | table 

Example 2: Extract the  PID, USER, %CPU, and CMD fields.

{{code language="none"}}
... | table fields PID USER %CPU CMD
{{/code}}

Example 3: Extract the PID, USER, %CPU, and CMD fields when they occur in rows that contain the "itda" raw-data entry.

... | table fields PID USER %CPU CMD filter itda

Long examples

 The following sample data and sample indexed data (displayed on the Search tab) will help you understand the examples of using the table command.

Sample data

Wed Jun  4 08:16:38 CDT 2014

  PID USER     %CPU     RSS     VSZ CMD

    1 root      0.0    1416   19364 /sbin/init

    4 root      0.0       0       0 [ksoftirqd/0]

  418 root      0.0     416   10944 /sbin/udevd -d

  705 root      0.0       0       0 [vmmemctl]

 1611 root      0.0     636    9120 /sbin/dhclient

 3251 root      0.0    3932  144556 /bin/rscd

 3288 root      0.0     528    4064 /sbin/mingetty /dev/tty2

15646 root      0.0   29504  493824 konsole

15649 root      0.0    2368  108956 /bin/bash

17764 root      0.0   18376  396656 /usr/bin/knotify4

22220 root      1.3 1433560 2444112 itda_indexer

22222 root      1.0  578668 2284768 itda_station

22225 root      2.4  761484 2765776 itda_server

22227 root      0.3  149836 1861804 itda_database

Back to examples ↑

Sample indexed data

Wed Jun  4 08:16:38 CDT 2014

  PID USER     %CPU     RSS     VSZ CMD

    1 root      0.0    1416   19364 /sbin/init

    4 root      0.0       0       0 [ksoftirqd/0]

  418 root      0.0     416   10944 /sbin/udevd -d

  705 root      0.0       0       0 [vmmemctl]

 1611 root      0.0     636    9120 /sbin/dhclient

 3251 root      0.0    3932  144556 /bin/rscd

 3288 root      0.0     528    4064 /sbin/mingetty /dev/tty2

15646 root      0.0   29504  493824 konsole

15649 root      0.0    2368  108956 /bin/bash

17764 root      0.0   18376  396656 /usr/bin/knotify4

22220 root      1.3 1433560 2444112 itda_indexer

22222 root      1.0  578668 2284768 itda_station

22225 root      2.4  761484 2765776 itda_server

22227 root      0.3  149836 1861804 itda_database

HOST=local.bmc.com |COLLECTOR_NAME=u4

Back to examples ↑

table

In this example, you use the command to extract fields from the event data that appears in a tabular format.

The table column names are displayed as fields, and a separate record is created for each row in the table.

Command

... | table

Output

22227 root 0.3 149836 1861804 itda_database

HOST=myhost |COLLECTOR_NAME=up_table |CMD=itda_database|VSZ=1861804|PID=22227|%CPU=0.3|RSS=149836|USER=root

22225 root 2.4 761484 2765776 itda_server

HOST=myhost |COLLECTOR_NAME=up_table |CMD=itda_server|VSZ=2765776|PID=22225|%CPU=2.4|RSS=761484|USER=root

22222 root 1.0 578668 2284768 itda_station

HOST=myhost |COLLECTOR_NAME=up_table |CMD=itda_station|VSZ=2284768|PID=22222|%CPU=1.0|RSS=578668|USER=root

22220 root 1.3 1433560 2444112 itda_indexer

HOST=myhost |COLLECTOR_NAME=up_table |CMD=itda_indexer|VSZ=2444112|PID=22220|%CPU=1.3|RSS=1433560|USER=root

17764 root 0.0 18376 396656 /usr/bin/knotify4

HOST=myhost |COLLECTOR_NAME=up_table |CMD=/usr/bin/knotify4|VSZ=396656|PID=17764|%CPU=0.0|RSS=18376|USER=root

15649 root 0.0 2368 108956 /bin/bash

HOST=myhost |COLLECTOR_NAME=up_table |CMD=/bin/bash|VSZ=108956|PID=15649|%CPU=0.0|RSS=2368|USER=root

15646 root 0.0 29504 493824 konsole

HOST=myhost |COLLECTOR_NAME=up_table |CMD=konsole|VSZ=493824|PID=15646|%CPU=0.0|RSS=29504|USER=root

3288 root 0.0 528 4064 /sbin/mingetty /dev/tty2

HOST=myhost |COLLECTOR_NAME=up_table |CMD=/sbin/mingetty|VSZ=4064|PID=3288|%CPU=0.0|RSS=528|USER=root

3251 root 0.0 3932 144556 /bin/rscd

HOST=myhost |COLLECTOR_NAME=up_table |CMD=/bin/rscd|VSZ=144556|PID=3251|%CPU=0.0|RSS=3932|USER=root

1611 root 0.0 636 9120 /sbin/dhclient

HOST=myhost |COLLECTOR_NAME=up_table |CMD=/sbin/dhclient|VSZ=9120|PID=1611|%CPU=0.0|RSS=636|USER=root

705 root 0.0 0 0 [vmmemctl]

HOST=myhost |COLLECTOR_NAME=up_table |CMD=[vmmemctl]|VSZ=0|PID=705|%CPU=0.0|RSS=0|USER=root

418 root 0.0 416 10944 /sbin/udevd -d

HOST=myhost |COLLECTOR_NAME=up_table |CMD=/sbin/udevd|VSZ=10944|PID=418|%CPU=0.0|RSS=416|USER=root

4 root 0.0 0 0 [ksoftirqd/0]

HOST=myhost |COLLECTOR_NAME=up_table |CMD=[ksoftirqd/0]|VSZ=0|PID=4|%CPU=0.0|RSS=0|USER=root

1 root 0.0 1416 19364 /sbin/init

HOST=myhost |COLLECTOR_NAME=up_table |CMD=/sbin/init|VSZ=19364|PID=1|%CPU=0.0|RSS=1416|USER=root

Back to examples ↑

table with fields

In this example, you use the command to extract the PID, USER, %CPU, and CMD fields.

Command

... | table fields PID USER %CPU CMD

Output

22227 root 0.3 149836 1861804 itda_database

HOST=myhost |COLLECTOR_NAME=up_table |PID=22227|USER=root|%CPU=0.3|CMD=itda_database

22225 root 2.4 761484 2765776 itda_server

HOST=myhost |COLLECTOR_NAME=up_table |PID=22225|USER=root|%CPU=2.4|CMD=itda_server

22222 root 1.0 578668 2284768 itda_station

HOST=myhost |COLLECTOR_NAME=up_table |PID=22222|USER=root|%CPU=1.0|CMD=itda_station

22220 root 1.3 1433560 2444112 itda_indexer

HOST=myhost |COLLECTOR_NAME=up_table |PID=22220|USER=root|%CPU=1.3|CMD=itda_indexer

17764 root 0.0 18376 396656 /usr/bin/knotify4

HOST=myhost |COLLECTOR_NAME=up_table |PID=17764|USER=root|%CPU=0.0|CMD=/usr/bin/knotify4

15649 root 0.0 2368 108956 /bin/bash

HOST=myhost |COLLECTOR_NAME=up_table |PID=15649|USER=root|%CPU=0.0|CMD=/bin/bash

15646 root 0.0 29504 493824 konsole

HOST=myhost |COLLECTOR_NAME=up_table |PID=15646|USER=root|%CPU=0.0|CMD=konsole

3288 root 0.0 528 4064 /sbin/mingetty /dev/tty2

HOST=myhost |COLLECTOR_NAME=up_table |PID=3288|USER=root|%CPU=0.0|CMD=/sbin/mingetty

3251 root 0.0 3932 144556 /bin/rscd

HOST=myhost |COLLECTOR_NAME=up_table |PID=3251|USER=root|%CPU=0.0|CMD=/bin/rscd

1611 root 0.0 636 9120 /sbin/dhclient

HOST=myhost |COLLECTOR_NAME=up_table |PID=1611|USER=root|%CPU=0.0|CMD=/sbin/dhclient

705 root 0.0 0 0 [vmmemctl]

HOST=myhost |COLLECTOR_NAME=up_table |PID=705|USER=root|%CPU=0.0|CMD=[vmmemctl]

418 root 0.0 416 10944 /sbin/udevd -d

HOST=myhost |COLLECTOR_NAME=up_table |PID=418|USER=root|%CPU=0.0|CMD=/sbin/udevd

4 root 0.0 0 0 [ksoftirqd/0]

HOST=myhost |COLLECTOR_NAME=up_table |PID=4|USER=root|%CPU=0.0|CMD=[ksoftirqd/0]

1 root 0.0 1416 19364 /sbin/init

HOST=myhost |COLLECTOR_NAME=up_table |PID=1|USER=root|%CPU=0.0|CMD=/sbin/init

Back to examples ↑

table with fields and filter

In this example, you use the command to extract the PID, USER, %CPU, and CMD fields when the fields occur in records that contain itda.

Command

... | table fields PID USER %CPU CMD filter itda

Output

22227 root 0.3 149836 1861804 itda_database

HOST=myhost |COLLECTOR_NAME=up_table|PID=22227|USER=root|%CPU=0.3|CMD=itda_database

22225 root 2.4 761484 2765776 itda_server

HOST=myhost |COLLECTOR_NAME=up_table|PID=22225|USER=root|%CPU=2.4|CMD=itda_server

22222 root 1.0 578668 2284768 itda_station

HOST=myhost |COLLECTOR_NAME=up_table|PID=22222|USER=root|%CPU=1.0|CMD=itda_station

22220 root 1.3 1433560 2444112 itda_indexer

HOST=myhost |COLLECTOR_NAME=up_table|PID=22220|USER=root|%CPU=1.3|CMD=itda_indexer

Back to examples ↑

Notes

  • For this command to produce the desired results, the data must contain rows that are separated by a new-line separator (\n).
  • The command assumes that columns in the data are separated by a space character ( ).
  • If data entries that appear in the columns contain a space character ( ), the command might not function properly.
  • If a column name in the event data contains a space, each word in the column name is treated as a separate column name.
    For example, if you have three columns in the data (HOST, Request Type, and COLLECTOR_NAME), then Request and Type are considered as separate column names, and the data under column COLLECTOR_NAME is considered to be data for column Type (leaving the column COLLECTOR_NAME with no values).

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*