Project Operators
A seat at the table (project)
Sometimes when reporting, you may not need to do any kind of fancy-schmancy aggregation. Sometimes you just want to return the events exactly as they are but in a table format. If that's what you need then here comes the render operator to your rescue. The render operator will show your results in the format that you specify without doing anything else to change the data.
- Clear the query box.
- Enter the following query:
dataset="cribl_search_sample" dataSource="access_combined"
| limit 100000
| render table - Click
SEARCH.
You Can't sit With Us (project-away)
With those two words, we've now got a tabular view of our search results. However, in many cases, having too much information is just as crippling as having too little.
There are a ton of fields here that we don't really care to see. Let's go ahead and evict them from our table. We'll do that using the project operator.
- Clear the query box.
- Enter the following query:
dataset="cribl_search_sample" dataSource="access_combined"
| limit 100000
| project host, clientip, status, bytes
| render table - Click
SEARCH.
Using the project operator we are able to specify exactly which fields we want to be included in the results. The fields included can even be evaluated within the project operator and don't have to exist in the data. If we wanted to remove select fields instead of specifying which fields to keep, we could use the project-away operator the exact same way as the project operator. Any fields listed would be removed from the search results going forward.
A Rose By Any Other Name (project-rename)
Similar to the project and project-away operators, there is another project operator that you will undoubtedly find useful. The project-rename operator will allow you to change the name of a field.