createtable

Use the createtable command to tabulate one or more fields from link command results.

Syntax:

createtable name = <name> [limit = <limit>] select <field_selects> [, <field_selects>]*

Parameters

The following table lists the parameters used in this command, along with their descriptions.

Parameter Description
name

Table display name

limit

Maximum number of rows for the table. Defaults to 500, which is the maximum limit.

field_selects Syntax: <output_fields> [from <table>]
  • output_fields:

    Syntax: <field_name> [as <new_name>] | <literal(name)> [as <new_name>]

    • field_name: The field to return in the result
    • name: Return the value enclosed in the literal() function as is. This is useful if you want to use a string literal, but the query also has a field with the same name.
  • table: Select fields from sequence command table instead of link command results.

The following command joins the link command result with sequence command result:

* | link Entity
  | sequence name = 'Security Event' span = 5min [ 'Security Result' = failure ]{5,} then [ 'Security Result' = success ]{1,} select 'Source IP Address'
  | createtable name = Events select Entity, literal(High) as 'Risk Level' select 'Start Time', Count from 'Security Event'

The following command summarizes the eventstats command result:

* | link Entity, Severity
  | eventstats avg('Content Size') as 'Avg Content Size' by Severity
  | createtable name = 'Size By Severity' select Severity, 'Avg Content Size'