Functions
A comprehensive list of all functions supported in Cribl Search, grouped by category.
Context Functions
Context functions return contextual information about your search.
| Name | Description |
|---|---|
createdTime() | Time when the search was created, in seconds. |
earliestTime() | Beginning of the search’s time range, in seconds. |
jobID() | Unique search identifier. |
latestTime() | End of the search’s time range, in seconds. |
query() | Query string. |
user() | Username of the user who created the search. |
displayUsername() | Friendly display name (typically first + last name) of the user who created the search. |
Cribl Functions
Cribl functions can be used together with the summarize, eventstats, and
timestats operators to aggregate your data. We refer to those additional functions as Cribl
functions, since they’re specific to Cribl Search.
| Name | Description |
|---|---|
findearliest | Returns the earliest value of an expression across the group. |
findearliestif | Returns the earliest value of an expression across the group for which a predicate evalutes to true. |
findfirst | Returns the first observed value of an expression across the group. |
findfirstif | Returns the first observed value of an expression across the group for which a predicate evalutes to true. |
findlast | Returns the last observed value of an expression across the group. |
findlastif | Returns the last observed value of an expression across the group for which a predicate evalutes to true. |
findlatest | Returns the latest value of an expression across the group. |
findlatestif | Returns the latest value of an expression across the group for which a predicate evalutes to true. |
list | Returns the list of values of an expression across the group |
median | Returns the middle value of an expression across the group. |
medianif | Returns the middle value of an expression across the group for which a predicate evalutes to true. |
persecond | Returns the per-second rate of an expression across the group |
persecondif | Returns the per-second rate of an expression across the group for which a predicate evalutes to true. |
rate | Returns the rate observed value of an expression across the group. |
rateif | Returns the rate observed value of an expression across the group for which a predicate evalutes to true. |
sumsq | Returns the sum of squares of an expression across the group. |
sumsqif | Returns the sum of squares of an expression across the group for which a predicate evalutes to true. |
values | Returns all of the distinct values of an expression across the group. |
Scalar Functions
Scalar functions perform calculations, transformations, or conversions.
Binary Functions
| Name | Description |
|---|---|
binary_and | Returns a result of the bitwise and operation between two values. |
binary_not | Returns a bitwise negation of the input value. |
binary_or | Returns a result of the bitwise or operation of the two values. |
binary_shift_left | Returns binary shift left operation on a pair of numbers. |
binary_shift_right | Returns binary shift right operation on a pair of numbers. |
binary_xor | Returns the bitwise xor operation of the two values. |
from_binary_string | Takes a binary string and returns a number. |
to_binary_string | Takes a number and returns a binary string. |
Conditional Functions
| Name | Description |
|---|---|
case | Evaluates a list of predicates and returns the first result expression whose predicate is satisfied. |
coalesce | Evaluates a list of expressions and returns the first non-null (or non-empty for string) expression. |
iif (iff) | Evaluates the first argument (the predicate), and returns the value of either the second or third arguments, depending on whether the predicate evaluated to true (second) or false (third). |
max_of | Returns the maximum value of several evaluated numeric expressions. |
min_of | Returns the minimum value of several evaluated numeric expressions. |
Conversion Functions
| Name | Description |
|---|---|
bin | Rounds values down to an integer multiple of a given bin size. |
bin_auto | Rounds values down to a fixed-size bin. |
floor | Rounds values down to an integer multiple of a given floor size. |
gettype | Returns the type of the input value. |
tobool | Converts the input to a bool value. |
todouble (toreal, todecimal) | Converts the input to a double (real, decimal) value. |
toint (tolong) | Converts the input to an int (long) value. |
tostring | Converts the input to a string value. |
DateTime Functions
| Name | Description |
|---|---|
ago | Subtracts the given timespan from the current UTC clock time. |
datetime_add | Calculates a new datetime from a specified datepart multiplied by a specified amount, added to a specified datetime. |
datetime_diff | Calculates the number of the specified periods between two datetime values. |
datetime_part | Extracts the requested date part as an integer value. |
dayofmonth | Returns the integer number representing the day number of the given month. |
dayofweek | Returns an integer between 0 and 6 representing the day of the week, beginning on Sunday. |
dayofyear | Returns the integer number representing the day number of the given year. |
endofday | Returns the end of the day containing the date, shifted by an offset, if provided. |
endofmonth | Returns the end of the month containing the date, shifted by an offset, if provided. |
endofweek | Returns the end of the week containing the date, shifted by an offset, if provided. |
endofyear | Returns the end of the year containing the date, shifted by an offset, if provided. |
format_datetime | Formats a datetime according to the provided format. |
format_timespan | Formats a timespan according to the provided format. |
getmonth (monthofyear) | Gets the month number (1–12) from a datetime. |
getyear (yearofyear) | Returns the year part of a datetime. |
hourofday | Returns the integer number representing the hour number of the given date. |
make_datetime | Converts the specified date and time into a datetime value (Unix time in seconds). |
make_timespan | Converts the specified time period into a datetime value (Unix time in seconds). |
now | Returns the current UTC clock time as a datetime value (Unix time in seconds). |
startofday | Returns the start of the day containing the date, shifted by an offset, if provided. |
startofmonth | Returns the start of the month containing the date, shifted by an offset, if provided. |
startofweek | Returns the start of the week containing the date, shifted by an offset, if provided. |
startofyear | Returns the start of the year containing the date, shifted by an offset, if provided. |
strftime (format_time) | Converts a datetime (date) object to a human-readable string. |
strptime (parse_time) | Converts a string to a datetime. |
todatetime | Converts the input into a datetime value (Unix time in seconds). |
totimespan | Converts the input into a number of seconds. |
unixtime_microseconds_todatetime | Converts the input into a datetime value (Unix time in seconds). |
unixtime_milliseconds_todatetime | Converts the input into a datetime value (Unix time in seconds). |
unixtime-nanoseconds_todatetime | Converts the input into a datetime value (Unix time in seconds). |
unixtime_seconds_todatetime | Converts the input into a datetime value (Unix time in seconds). |
week_of_year | Returns an integer representing the week number. |
Dynamic Functions
Dynamic scalar functions allow you to manipulate objects by operating on dynamic values, including dynamic arrays
and property bags.
| Name | Description |
|---|---|
bag_has_key | Checks whether a property bag contains a given key. |
bag_keys | Lists all root keys of a property bag. |
bag_merge | Merges multiple property bags, discarding duplicate keys. |
bag_pack | Creates a property bag from an alternating list of keys and values. |
bag_pack_columns | Creates a property bag from a list of columns. |
bag_remove_keys | Removes key-value pairs from a property bag. |
bag_set_key | Adds or overwrites a key-value pair in a property bag. |
bag_zip | Creates a property bag from two dynamic arrays. |
make_bag | Creates a property bag from multiple input bags. |
make_bag_if | Creates a property bag from those input bags that meet the specified condition. |
zip | Merges dynamic arrays, grouping elements by index. |
The following string functions support dynamic types as well:
| Function | Usage with dynamic data types |
|---|---|
extractjson(`path,object`) | Uses path to navigate into object. |
parse_json(`source`) | Turns a JSON string into a dynamic object. |
range(`from,to,step`) | Generates an array of values. |
Hash Functions
| Name | Description |
|---|---|
hash | Returns a hash value for the input value. |
hash_combine | Combines hash values of two or more hashes. |
hash_many | Returns a combined hash value of multiple values. |
hash_md5 | Returns an MD5 hash value for the input value. |
hash_sha1 | Returns a SHA1 hash value for the input value. |
hash_sha256 | Returns a SHA-256 hash value for the input value. |
hash_xxhash64 | Returns a 64-bit hash value for the input value. |
INET Functions
| Name | Description |
|---|---|
ipv4_compare | Compares two IPv4 strings. |
ipv4_is_in_range | Checks if IPv4 string address is in IPv4-prefix notation range. |
ipv4_is_in_any_range | Checks whether IPv4 string address is in any of the specified IPv4 address ranges. |
ipv4_is_match | Matches two IPv4 strings. |
ipv4_is_private | Checks if IPv4 string address belongs to a set of private network IPs. |
ipv4_netmask_suffix | Returns the value of the IPv4 netmask suffix from IPv4 string address. |
ipv6_compare | Compares two IPv6 or IPv4 network address strings. |
ipv6_is_match | Matches two IPv6 or IPv4 network address strings. |
format_bytes | Converts the input into a string that represents data size. |
format_ipv4 | Parses input with a netmask and returns string representing IPv4 address. |
format_ipv4_mask | Parses input with a netmask and returns string representing IPv4 address as CIDR notation. |
Mathematical Functions
| Name | Description |
|---|---|
abs | Calculates the absolute value of the input. |
acos | Calculates the angle whose cosine is the specified number. |
asin | Calculates the angle whose sine is the specified number. |
atan | Returns the angle whose tangent is the specified number. |
atan2 | Calculates the angle, in radians, between the positive x-axis and the ray from the origin to the point (y, x). |
beta_cdf | Returns the standard cumulative beta distribution function. |
beta_inv | Returns the inverse of the beta cumulative probability beta density function. |
beta_pdf | Returns the probability density beta function. |
ceil | Rounds up a numeric expression’s value to the nearest integer. |
ceiling | Rounds up a numeric expression’s value to the nearest integer. |
cos | Returns the cosine function. |
cot | Calculates the trigonometric cotangent of the specified angle, in radians. |
degrees | Converts angle value in radians into value in degrees. |
exp | Calculates the base-e exponential function of x. |
exp2 | Calculates the base-2 exponential function of x. |
exp10 | Calculates the base-10 exponential function of x. |
gamma | Computes gamma function. |
isfinite | Returns whether input is a finite value. |
isinf | Returns whether input is an infinite value. |
isnan | Returns whether input is Not-a-Number (NaN) value. |
log | Returns the natural logarithm function. |
log2 | Returns the (base-2) logarithm function. |
log10 | Returns the common (base-10) logarithm function. |
loggamma | Computes log of absolute value of the loggamma function. |
not | Reverses the value of its boolean argument. |
pi | Returns the constant value of Pi. |
pow | Returns a result of raising to power. |
radians | Converts angle value in degrees into value in radians. |
rand | Returns a random number. |
range | Generates a dynamic array, holding a series of equally spaced values. |
round | Returns the rounded source to the specified precision. |
sign | Returns the sign of a numeric expression. |
sin | Returns the sine of a numeric expression. |
sqrt | Returns the square root function. |
tan | Returns the tangent function. |
String Functions
| Name | Description |
|---|---|
base64_decode_toarray | Decodes a base64 string to an array of long values. |
base64_decode_tostring | Decodes a base64 string to a UTF-8 string. |
base64_encode_fromarray | Encodes a base64 string from a bytes array. |
base64_encode_tostring | Encodes a string as base64 string. |
countof | Counts occurrences of a substring in a string. |
extract | Gets a match for an RE2 regular expression from a source string. |
extract_all | Gets all matches for an RE2 regular expression from a source string. |
extract_json | Gets a specified element out of a JSON text using a path expression. |
has_any_index | Gets a match for an RE2 regular expression from a source string. |
indexof | Reports the zero-based index of the first occurrence of a specified string within the input string. |
isempty | Returns true if the argument is an empty string or is null. |
isnotempty (notempty) | Returns true if the argument isn’t an empty string, and it isn’t null. |
isnotnull (notnull) | Returns true if the argument is not null. |
isnull | Indicates whether the argument evaluates to a null value. |
match_regex | Searches a text string for a specific pattern defined by a regular expression. |
parse_csv | Splits a given string representing a single record of comma-separated values. |
parse_ipv4 | Converts IPv4 string to long (signed 64-bit) number representation in big-endian order. |
parse_ipv4_mask | Converts the input string of IPv4 and netmask to a signed, 64-bit wide, long number representation in big-endian order. |
parse_ipv6 | Converts IPv6 or IPv4 string to a canonical IPv6 string representation. |
parse_ipv6_mask | Converts IPv6/IPv4 string and netmask to a canonical IPv6 string representation. |
parse_json (todynamic) | Interprets a string as a JSON value and returns the value as dynamic. |
parse_url | Parses an absolute URL string and returns a dynamic object that contains URL parts. |
parse_urlquery | Returns a dynamic object that contains the Query parameters. |
parse_version | Converts the input string representation of version to a comparable decimal number. |
replace_regex | Replaces all RE2 regular expression matches with another string. |
reverse | Reverses the order of the input string. |
split | Splits a given string according to a given delimiter. |
strcat | Concatenates between 1 and 64 arguments. |
strcat_delim | Concatenates between 2 and 64 arguments, with a delimiter. |
strcmp | Compares two strings. |
strlen | Returns the length, in characters, of the input string. |
strrep | Repeats given string specified number of times. |
substring | Extracts a substring from a source string starting from some index to the end of the string. |
tolower | Converts a string to lower case. |
toupper | Converts a string to upper case. |
translate | Replaces a set of characters with another set of characters in a given string. |
trim | Removes all leading and trailing matches of the specified string or regular expression. |
trim_end | Removes trailing match of the specified regular expression. |
trim_start | Removes leading match of the specified regular expression. |
url_decode | Converts encoded URL into a to regular URL representation. |
url_encode | Converts characters of the input URL into a format that can be transmitted over the Internet. |
Statistical Functions
| Name | Description |
|---|---|
avg | Calculates the average across the group. |
avgif | Calculates the average across the group where a predicate evaluates to true. |
count | Counts events per summarization group. |
countif | Counts events based on a predicate. |
dcount | Calculates an estimate of the number of distinct values. |
dcountif | Calculates an estimate of the number of distinct values for those rows where a predicate evaluates to true. |
max | Finds the maximum value across the group. |
maxif | Finds the maximum value for which a predicate evaluates to true. |
min | Finds the minimum value across the group. |
minif | Finds the minimum value which a predicate evaluates to true. |
percentile | Returns an estimate for the specified nearest-rank percentile of the population defined. |
stdev | Calculates the standard deviation of an expression across the group. |
stdevif | Calculates the standard deviation of an expression which a predicate evaluates to true. |
stdevp | Calculates the standard deviation of an expression across the group, considering the group as a population. |
sum | Calculates the sum of an expression across the group. |
sumif | Calculates the sum of an expression for which a predicate evaluates to true. |
variance | Calculates the variance of an expression. |
varianceif | Calculates the variance of an expression for which a predicate evaluates to true. |
variancep | Calculates the variance of an expression across the group, considering the group as a population. |
Window Functions
| Name | Description |
|---|---|
next | Returns the value of a specific field in a subsequent row. |
prev | Returns the value of a specific field in a previous row. |
row_cumsum | Calculates the cumulative sum for a specified field across all previous rows. |
row_number | Assigns a unique row number to each row within the results. |
row_rank_dense | Assigns a unique numerical position (rank) to each row within the results |
row_rank_min | Assigns a minimal numerical position (rank) to each row within the results |
row_window_session | Identifies the value at the beginning of each session for a specified field within the results. |