On This Page

Home / Search/ Language Reference/ Functions/ Cribl Functions/findearliest

findearliest

The findearliest aggregation function returns the earliest value (based on _time) of Expression across the group.

Use this function with the summarize, eventstats, and timestats operators.

Syntax

    findearliest( Expression )

Arguments

  • Expression: Expression used for aggregation calculation. Wildcards are not supported for field names.

Examples

Return the earliest event by _time:

dataset="cribl_search_sample"
| summarize findearliest(_time)
Run in Cribl Search

Return the earliest event by a custom field’s value:

dataset=myDataset
| summarize findearliest(receiptTime)