Operators in Cribl Search
A comprehensive list of all operators supported in Cribl Search, grouped by category.
An operator in Cribl Search is a query component that processes data, performing actions such as filtering, counting, or
transforming events. Operators can use functions, and are delimited by the pipe character |.
For example, the limit operator sets the maximum number of events returned from a search:
dataset="cribl_search_sample"
| limit 100Aggregation Operators
Aggregation operators summarize data by grouping it based on specified fields and applying aggregation functions like
sum, avg, or max to produce meaningful insights.
| Name | Description |
|---|---|
count | Returns the number of all input events. |
eventstats | Aggregates events and adds the results as new fields to the source events. |
summarize | Produces a table that aggregates the input data. |
timestats | Aggregates events by time periods or bins.. |
Data Operators
Data operators transform, enrich, or manipulate events, enabling actions like renaming, joining, or exporting.
| Name | Description |
|---|---|
centralize | Forces subsequent operators to the coordinator. |
export | Exports search results to a lookup or a Cribl Lake Dataset. |
extend | Appends fields created by expressions. |
extract | Extracts data from a field. |
foldkeys | Folds hierarchical field names into a nested structure. |
ip-lookup | Enriches events with IP address data. |
join | Merges events from two different data scopes. |
lookup | Enriches events with lookup files. |
mv-expand | Expands an object into multiple events. |
mv-pull | Pulls key-value pairs from array objects into events or objects/bags. |
project-rename | Renames fields. |
union | Appends one set of results to another. |
Display Operators
Display operators control how data is presented in the output, allowing formatting, sorting, or visualizing results for better readability.
| Name | Description |
|---|---|
limit (take) | Limits the number of events. |
order (sort) | Arranges events into order by one or more fields. |
print | Outputs expression results. |
project | Keeps only the fields specified, and can also rename fields and insert new computed fields. |
project-away | Excludes specific fields from the results.. |
range | Generates a series of events. |
render | Enforces a specific visualization of the search results. |
top | Returns the first N events sorted by the specified fields. |
Filter Operators
Filter operators exclude or include events based on specified conditions, allowing you to narrow down the Dataset to relevant records.
| Name | Description |
|---|---|
dedup | Filters out duplicate events. |
distinct | Finds unique field values. |
search | Finds events that contain the specified text. |
where | Filters events based on the specified predicate. |
Logical Operators
Logical operators perform comparisons and evaluations.
| Operator | Description |
|---|---|
AND | Returns true if both operands are true, otherwise returns false. |
NOT or ! | Returns true if the operand is false, otherwise returns false. |
OR | Returns true if at least one operand is true, otherwise returns false. |
Numerical Operators
Numerical operators perform arithmetic operations on numerical values, enabling calculations like addition or subtraction.
| Operator | Description |
|---|---|
== | Equal |
!= | Not Equal |
> | Greater Than |
>= | Greater Than or Equal To |
< | Less Than |
<= | Less Than or Equal To |
+ | Add |
- | Subtract |
* | Multiply |
/ | Divide |
% | Modulo |
Search Operators
Search operators retrieve events based on defined criteria, enabling efficient data discovery.
| Name | Description |
|---|---|
cribl | Finds specific events. The fundamental Cribl Search operator, implicit in queries that do not specify an operator. |
find | Finds specific events. |
String Operators
String operators manipulate and transform text, enabling actions like concatenation, trimming, replacement, or extraction.
| Operator | Description | Case-Sensitive | Example (yields true) |
|---|---|---|---|
== | Equals | Yes | "aBc" == "aBc" |
!= | Not equals | Yes | "abc" != "ABC" |
=~ | Equals | No | "abc" =~ "ABC" |
!~ | Not equals | No | "aBc" !~ "xyz" |
contains | RHS occurs as a subsequence of LHS | No | "FabriKam" contains "BRik" |
!contains | RHS doesn’t occur in LHS | No | "Fabrikam" !contains "xyz" |
contains_cs | RHS occurs as a subsequence of LHS | Yes | "FabriKam" contains_cs "Kam" |
!contains_cs | RHS doesn’t occur in LHS | Yes | "Fabrikam" !contains_cs "Kam" |
endswith | RHS is a closing subsequence of LHS | No | "Fabrikam" endswith "Kam" |
!endswith | RHS isn’t a closing subsequence of LHS | No | "Fabrikam" !endswith "brik" |
endswith_cs | RHS is a closing subsequence of LHS | Yes | "Fabrikam" endswith_cs "kam" |
!endswith_cs | RHS isn’t a closing subsequence of LHS | Yes | "Fabrikam" !endswith_cs "brik" |
has | Right-hand-side (RHS) is a whole term in left-hand-side (LHS) | No | "North America" has "america" |
!has | RHS isn’t a full term in LHS | No | "North America" !has "amer" |
has_all | Same as has but works on all of the events | No | "North and South America" has_all("south", "north") |
!has_all | Not all of the RHS terms are present in LHS | No | "North and South America" !has_all("south", "east") |
has_any | Same as has but works on any of the events | No | "North America" has_any("south", "north") |
!has_any | None of the RHS terms are present in LHS | No | "North and South America" !has_any("east", "west") |
has_cs | RHS is a whole term in LHS | Yes | "North America" has_cs "America" |
!has_cs | RHS isn’t a full term in LHS | Yes | "North America" !has_cs "amer" |
hasprefix | RHS is a term prefix in LHS | No | "North America" hasprefix "ame" |
!hasprefix | RHS isn’t a term prefix in LHS | No | "North America" !hasprefix "mer" |
hasprefix_cs | RHS is a term prefix in LHS | Yes | "North America" hasprefix_cs "Ame" |
!hasprefix_cs | RHS isn’t a term prefix in LHS | Yes | "North America" !hasprefix_cs "CA" |
hassuffix | RHS is a term suffix in LHS | No | "North America" hassuffix "ica" |
!hassuffix | RHS isn’t a term suffix in LHS | No | "North America" !hassuffix "americ" |
hassuffix_cs | RHS is a term suffix in LHS | Yes | "North America" hassuffix_cs "ica" |
!hassuffix_cs | RHS isn’t a term suffix in LHS | Yes | "North America" !hassuffix_cs "icA" |
in | Equal to any of the events | Yes | "abc" in ("123", "345", "abc") |
!in | Not equal to any of the events | Yes | "bca" !in ("123", "345", "abc") |
in~ | Equal to any of the events | No | "Abc" in~ ("123", "345", "abc") |
!in~ | Not equal to any of the events | No | "bCa" !in~ ("123", "345", "ABC") |
matches regex | LHS contains a match for RHS | Yes | "Fabrikam" matches regex "b.*k" |
startswith | RHS is an initial subsequence of LHS | No | "Fabrikam" startswith "fab" |
!startswith | RHS isn’t an initial subsequence of LHS | No | "Fabrikam" !startswith "kam" |
startswith_cs | RHS is an initial subsequence of LHS | Yes | "Fabrikam" startswith_cs "Fab" |
!startswith_cs | RHS isn’t an initial subsequence of LHS | Yes | "Fabrikam" !startswith_cs "fab" |