table

Retrieves data stored in a Logpresso table.

Command properties

Property	Description
Command type	Driver query
Required permission	Table read permission (admin permission also required when using `raw=t`)
License usage	Counted
Parallel execution	Supported
Distributed execution	Runs on Data Node (mapper)

Syntax

To query historical data:

table [order={desc|asc}] [offset=LONG] [limit=LONG] [duration=INT{s|m|h|d|mon}] [from=DATE] [to=DATE] [parser=STR] [parallel=BOOL] [eachtable=BOOL] [raw=BOOL] [lazy=BOOL] [fields=STR] TABLE [TABLE ...]

To receive real-time data:

table window=INT{s|m|h|d|mon} [parser=STR] [lazy=BOOL] [fields=STR] TABLE [TABLE ...]

Options

order={desc|asc}: Table scan order (default: desc).

desc: Retrieves from the most recent data
asc: Retrieves from the oldest data

offset=LONG: Number of records to skip. Specify a value of 0 or greater.
limit=LONG: Maximum number of records to retrieve.
duration=INT{s|m|h|d|mon}: Limits the data to within a specified time range from the current time. Supports units s (seconds), m (minutes), h (hours), d (days), and mon (months). For example, 10m means the range from 10 minutes ago to the current time. Cannot be used together with window.
from=DATE: Start time of the query range. Enter in yyyyMMddHHmmss format. Trailing digits can be omitted and are filled with zeros. Cannot be used together with window.
to=DATE: End time of the query range. Enter in yyyyMMddHHmmss format. Trailing digits can be omitted and are filled with zeros. Cannot be used together with window.
window=INT{s|m|h|d|mon}: Receives data newly written to the table in real time for the specified duration after the query starts. Supports units s (seconds), m (minutes), h (hours), d (days), and mon (months). Cannot be used together with from, to, or duration.
parser=STR: Name of the log parser to use for record parsing.
parallel=BOOL: When set to t, enables parallel scanning. If limit is not specified, the scan order is automatically switched to ascending.
eachtable=BOOL: When set to t, applies offset and limit per table rather than to the total result set.
raw=BOOL: When set to t, retrieves raw data without applying a log parser. Requires administrator privileges.
lazy=BOOL: When set to t, enables lazy loading. Initially loads only metadata; actual data is loaded on demand.
fields=STR: Field names to load, separated by commas. Specifying fields improves performance by reading only those fields.

Target

TABLE: Name of the table to query. Specify in the format [NODE:][[NAMESPACE\]]TABLE[?]. You can specify multiple tables separated by spaces, and you can use the * wildcard.

NODE: — Data Node name (omit to target all nodes)
NAMESPACE\ — Table namespace (optional)
TABLE — Table name
? — Appended to the name; skips the table without error if it does not exist

Output fields

Field	Type	Description
_table	string	Table name. Remote node tables use the `NODE:TABLE` format
_time	timestamp	Record timestamp
_sk	long	Storage key
_era	integer	Epoch number
_id	long	Record sequence number within the partition

If a log parser is configured for the table, the fields returned by the parser are also included.

Error codes

Parsing errors

Error code	Message	Description
10600	저장소가 닫혀 있습니다.	The storage is closed
10601	offset 값은 0보다 크거나 같아야 합니다: 입력값=[offset].	The `offset` value is less than 0
10602	입력값이 허용 범위를 벗어났습니다: limit=[offset].	The `limit` value is out of range
10603	[options]에서 [exp] 잘못된 옵션입니다.	An invalid table specifier was used
10604	테이블이 없습니다.	No table was specified
10605	테이블 [table]이(가) 존재하지 않습니다.	The specified local table does not exist
10606	테이블 [table] 읽기 권한이 없습니다.	No read permission for the local table
10607	테이블 [table]이(가) 존재하지 않습니다.	The specified remote table does not exist
10608	테이블 [table] 읽기 권한이 없습니다.	No read permission for the remote table
no-raw-permission	—	No administrator permission when using `raw=t`

Runtime errors

N/A

Description

The table command retrieves data stored in a Logpresso table. As a driver query, it must be used as the first command in a query pipeline.

When the window option is specified, the command operates in real-time reception mode instead of scanning historical data. It receives data newly written to the table until the specified time has elapsed from when the query started or until the query is cancelled. It cannot be used together with the from, to, or duration options.

In a distributed environment, the scan is executed on each Data Node where the table is stored.

Examples

Retrieve all data from a web server log
```
table WEB_APACHE
```
Retrieves all web access records from the WEB_APACHE table.
Retrieve firewall block events for a specific period
```
table from=20250315 to=20250319 FW_BLOCK_LOG
```
Retrieves events blocked by the firewall from March 15, 2025 to March 19, 2025.
Retrieve the top 100 recent security events in the last hour
```
table duration=1h order=desc limit=100 SECURITY_EVENT_LOG
```
Retrieves the 100 most recent security events from the last hour in reverse chronological order.
Retrieve multiple security logs at once
```
table duration=1d WEB_APACHE FW_BLOCK_LOG NET_DNS_QUERY_LOG
```
Retrieves web access logs, firewall block logs, and DNS query logs all from the last day.
Retrieve web server logs using a wildcard
```
table duration=1d WEB_APACHE*
```
Retrieves web server logs from the last day from all tables whose names start with WEB_APACHE.
Monitor real-time security events
```
table window=60s SECURITY_EVENT_LOG
```
Receives new security events written to the SECURITY_EVENT_LOG table in real time for 60 seconds from when the query starts.
Dynamic date range query using parameters
```
set from = string(dateadd(now(), "day", -7), "yyyyMMdd")
| set to = string(now(), "yyyyMMdd")
| table from=$("from") to=$("to") WEB_APACHE
```
Retrieves web access logs for the last 7 days. Uses the set command to dynamically calculate and pass the date range as parameters.