Tabular Operators

The filter statement (also known as 'where') allows you to selectively process only log entries that match a specific condition. Details: - Supports comparison operators: ==, !=, >, <, >=, <= - Supports logical operators: and, or, not - Can test for the existence of a field with has operator - Case-insensitive string matching with =~

The summarize statement calculates aggregate values over groups of log entries. Details: - Supports multiple aggregation functions: count(), sum(), avg(), min(), max() - Can compute multiple aggregations in a single statement - Optional 'by' clause groups results by specified fields - Commonly used with time-based binning for timeseries analysis

The project statement selects which fields to include in the output. Details: - Only the specified fields will appear in the output - Can include computed columns with field assignment - Useful for reducing dataset size and focusing on relevant fields - Can rename fields using the 'as' keyword

The extend statement adds calculated fields to the output without removing existing fields. Details: - Creates new fields based on expressions - Keeps all existing fields in the output - Can reference existing fields in the expressions - Useful for data transformation and enrichment

The sort statement orders the results based on values in specified fields. Details: - Default sort order is ascending - Use 'desc' for descending sort order - Can sort by multiple fields (secondary sort) - Null values are considered smaller than non-null values

The take statement (also known as 'limit') restricts the number of rows returned. Details: - Returns at most the specified number of rows - Often used with sort to get top/bottom N values - Applied after all other operators in the pipeline

The top statement returns the first N rows when sorted by the specified fields. Details: - Default sort order is descending - Combines sort and take in a single operation - Useful for finding maximum or top-ranked values