findlast

The findlast aggregation function returns the last observed non-null value of Expression across the group.

Use this function with the summarize, eventstats, and timestats operators.

Syntax

findlast( Expression )

Arguments

Expression: Expression used for aggregation calculation. Wildcards are not supported for field names.

Usage

To find a latest event with respect to the _time field, instead use findlatest.

You can use findlast after a sort or order operator when sorting by a non-time field. Once events are sorted, this function acts much like max.

Examples

Here is a basic example:

dataset=myDataset
| summarize findlast(channel)

This example effectively finds min(status) and max(status):

dataset="cribl_internal_logs" status=/[0-9]+/ 
| order by status asc 
| summarize x = findfirst(status), y = findlast(status)

Run in Cribl Search

findlast

Syntax​

Arguments​

Usage​

Examples​

Common Resources

Syntax

Arguments

Usage

Examples