COLUMNS Statement

COLUMNS is used to define which columns should appear in the results and how they should be computed. 

<columnsStatement> ::= "COLUMNS" <columnsList> | <aggregationList> ;
<columnList> ::= <columnExpression> ( "," <columnExpression> )* ;
<aggregationList> ::= <aggregationExpression> ( "," <aggregationExpression> )* ;

A COLUMNS statement can be a column based expression or an aggregate expression. A column based expression is any expression supporting mathematical and logical operators, functions, and other operators. For details, see FILTER Statement. An aggregate expression is a similar expression that contains an aggregationFunction. If all columns use aggregation functions, the result contains only one row with results of the aggregation. For details, see GROUP BY Statement.

When defining a column name in a search query, it must be enclosed in square brackets ([]) in the following scenarios:

  • If a column name is also an EQL or SQL keyword, for example, "use MyEventSourceConfiguration |[IN] >5" .
  • If a column name has a space, for example, "use Hawk_getProcess | COLUMNS Status, [Virtual KBytes] | sys_eventTime in -10y".
  • If a column name contains non-alphabetic or non-digit characters such as dash (-), for example, "[ab]", to distinguish it from the subtraction expression "a-b".

The following data types for columns are supported:

  • String
  • Integer
  • Long
  • Double
  • Boolean
  • Timestamp
  • IP address

Examples

Columns Expression Definition
columns sys_eventTime, sys_collectIP, sys_body The result is a table with three columns:

sys_eventTime, sys_collectIP, sys_body. The columns could be one of the pre-parsed columns such as sys_eventTime, sys_body, or columns from configured parsers. See USE Statement.

columns count(ll_sourceUser) The result has one column with one row with count of all events that has ll_sourceUser column with no empty value.
columns ToInt(ll_eventActionID)+2 as action, sys_body The result is a table with two columns, the first column called 'action' with the value of converting ll_eventActionID to int and adding 2 to it, and the second column is sys_body.
columns max(length(sys_body)) -

min(length(sys_body))

The result is a table with a column containing the difference in length between the longest and shortest events.