Cribl Functions
Cribl Search supports additional functions that you can use together with the summarize,
eventstats, and timestats operators to aggregate your data. We refer to those additional
functions as Cribl functions, since they’re specific to Cribl Search.
Cribl Search supports the following Cribl functions:
| Name | Description |
|---|---|
findearliest | Returns the earliest value of an expression across the group. |
findearliestif | Returns the earliest value of an expression across the group for which a predicate evalutes to true. |
findfirst | Returns the first observed value of an expression across the group. |
findfirstif | Returns the first observed value of an expression across the group for which a predicate evalutes to true. |
findlast | Returns the last observed value of an expression across the group. |
findlastif | Returns the last observed value of an expression across the group for which a predicate evalutes to true. |
findlatest | Returns the latest value of an expression across the group. |
findlatestif | Returns the latest value of an expression across the group for which a predicate evalutes to true. |
list | Returns the list of values of an expression across the group |
median | Returns the middle value of an expression across the group. |
medianif | Returns the middle value of an expression across the group for which a predicate evalutes to true. |
persecond | Returns the per-second rate of an expression across the group |
persecondif | Returns the per-second rate of an expression across the group for which a predicate evalutes to true. |
rate | Returns the rate observed value of an expression across the group. |
rateif | Returns the rate observed value of an expression across the group for which a predicate evalutes to true. |
sumsq | Returns the sum of squares of an expression across the group. |
sumsqif | Returns the sum of squares of an expression across the group for which a predicate evalutes to true. |
values | Returns all of the distinct values of an expression across the group. |