Aggregating Data

Impressive... most impressive, but you aren't a Jedi yet. Searching and filtering data is only half of the equation. Now you've got to do something with it. No one wants to sift through thousands (more likely millions) of events. Again, ain't nobody got time for that. Instead, we'll use Cribl Search to aggregate the data.

Aggregation 101

Aggregating is when you group data in some way that makes it easier to analyze and digest. First let's see what a summarized search looks like. This is a great time to play with one of our sample searches.

Load a Sample Search

1. Click Search Home in the left navigation bar.

2. Click Sample Searches.

3. Click the entry titled Summarize the count of records by the 'dataSource' field`. The search should be:

   dataset="cribl_search_sample" | summarize count() by dataSource

Whoa! Big difference right? The very first thing that you notice is the eye-popping chart. This makes it much easier to make data-based decisions. Another thing to call out, if you haven't noticed already, is that we are automatically brought to the Chart tab instead of the Events tab.

Tabs for days

1. Click the Events tab.
2. Click the Fields tab.
3. Click the Chart tab.

If this is what you saw on the Events and Fields tabs, then not to worry, you've done everything right. When using any aggregation operator or Function, such as the summarize operator in our current search, the results will only be viewable on the Chart tab. Alternatively, if you have not used an aggregation operator, the Events and Fields tabs will be populated and you'll see this message on the Chart tab: