COLUMNS Statement
COLUMNS is used to define which columns should appear in the results and how they should be computed.
<columnsStatement> ::= "COLUMNS" <columnsList> | <aggregationList> ; <columnList> ::= <columnExpression> ( "," <columnExpression> )* ; <aggregationList> ::= <aggregationExpression> ( "," <aggregationExpression> )* ;
A COLUMNS statement can be a column based expression or an aggregate expression. A column based expression is any expression supporting mathematical and logical operators, functions, and other operators. For details, see FILTER Statement. An aggregate expression is a similar expression that contains an aggregationFunction. If all columns use aggregation functions, the result contains only one row with results of the aggregation. For details, see GROUP BY Statement.
When defining a column name in a search query, it must be enclosed in square brackets ([]) in the following scenarios:
- If a column name is also an EQL or SQL keyword, for example,
"use MyEventSourceConfiguration |[IN] >5"
. - If a column name has a space, for example,
"use Hawk_getProcess | COLUMNS Status, [Virtual KBytes] | sys_eventTime in -10y"
. - If a column name contains non-alphabetic or non-digit characters such as dash (-), for example,
"[ab]"
, to distinguish it from the subtraction expression "a-b".
The following data types for columns are supported:
- String
- Integer
- Long
- Double
- Boolean
- Timestamp
- IP address
Examples
Columns Expression | Definition |
---|---|
columns sys_eventTime, sys_collectIP, sys_body
|
The result is a table with three columns:
|
columns count(ll_sourceUser)
|
The result has one column with one row with count of all events that has ll_sourceUser column with no empty value. |
columns ToInt(ll_eventActionID)+2 as action, sys_body
|
The result is a table with two columns, the first column called 'action' with the value of converting ll_eventActionID to int and adding 2 to it, and the second column is sys_body. |
columns max(length(sys_body)) -
|
The result is a table with a column containing the difference in length between the longest and shortest events. |