Aggregation Operators
A list of aggregation operators supported by Cribl Search.
Aggregation operators summarize data by grouping it based on specified fields and applying aggregation functions like
sum, avg, or max to produce meaningful insights.
On summarize, eventstats, and timestats, you can append asc, desc, nulls first, and nulls last to each field in the by clause to sort grouped results without a separate order step. See Group-by Sort Order.
| Name | Description |
|---|---|
count | Returns the number of all input events. |
eventstats | Aggregates events and adds the results as new fields to the source events. |
summarize | Produces a table that aggregates the input data. |
timestats | Aggregates events by time periods or bins.. |
In Dashboards, aggregations in child searches are based on the parent search’s results, so if the parent search’s results are capped by a system limit (such as
max_results_per_search/ Results limit), the child search’s aggregations may be incomplete.