Table Format

Based on your search query, the results are displayed in normalized table format. Each event is summarized per row.

The same result set can be viewed in the Raw Data Format.

Using the table format, you can perform the following tasks:

  • Showing or hiding event body

    Click Messages on or off to show or hide the event body in the sys_body column.

  • Highlighting keywords

    By default, the Highlight keyword option is set to on for queries that include CONTAINS or LIKE statements. Click the Highlight on or off link to highlight keywords or remove highlighting from the keywords. This option is not visible for queries that do not include CONTAINS or LIKE statements.

    In the following illustration, when the search query is: 
    use system | sys_body CONTAINS 'success'
    the keyword success is highlighted.
  • Filtering data

    Click the column value and then select Include this Filter to filter the data based on the value. If you select the Exclude this Filter option, the results exclude the specified value.

    Note: To filter by any text in the body of the log events (sys_body column), turn the Messages view on, select the required text, and right-click the selected text.

    The Table view displays results based on the defined filters immediately. You can add multiple filters to fine-tune your search results. You can update the existing filter value. Click on the value to open the Enter value field. Update the value in the field and click . The results are refreshed immediately based on the new filter.

    The following illustration displays the table showing filtered results for sys_deviceType='Other UNIX'.

    • Click to show or hide filters from the Table panel.
    • Click the column value and then select Include this filter on Result tab to filter the data based on the value in a new Result tab. If you select Exclude this filter from Result tab, a new Result tab displays results excluding the specified value.
    • You can filter based on the event body. To do this, make sure that the Messages option is set to on. Drag the mouse to select the event body and select Include this filter to filter your results based on the event body filter. The selected keyword is highlighted in the results. If you select Exclude this filter the results exclude the specified event body.

      The following illustration shows results based on the event body filter 1.

  • Sorting columns

    You can sort on any column, including group-by count(*) column, group-by aggregation-columns, and other columns. Click the column header and then select Sort Ascending to sort columns in ascending order. Click the column value and then select Sort Descending to sort columns in descending order.

  • Grouping by values

    Click the column header and then select Group by to view grouped results. A new Result tab opens showing the grouped results for the selected value. The number of groups is displayed against the column name in the Columns pane. However, for time-based columns, the number of unique values is displayed instead of the number of groups.

    To group by different time range options, click the time value, select Group Dates by option, and then select the period to group your results by different time periods. The Table panel is refreshed showing the results that are grouped by the defined time period. When grouped by sys_eventTime, the results are sorted in ascending order.

  • Hiding columns from the Table

    Click the column header and then select Hide to hide the selected column from the Table panel.