Skip to main content

Reporting

One of the most important things that you'll need to learn to do is format and report on your search results. I mean think about it. What would you do if you went to read a Harry Potter book and J.K. Rowling decided not to put the words in order, add punctuation, or group the sections into chapters? Interpreting raw data would feel the same way. It isn't until we aggregate our results, perform calculations, and order results appropriately, that our story magically starts to come to life.

Summarizing Summarize

If you can recall from the Cribl Search Overview sandbox, the summarize operator allows us to do all of these things. How about a quick refresher? Ok, wands at the ready!

important
  1. Clear the query box.
  2. Enter the following query: 
    dataset="cribl_search_sample" dataSource="access_combined"
    | limit 100000
    | summarize info=countif(status<200), success=countif(status>=200 and status<300), fail=countif(status>=300 and status<500), epic_fail=countif(status>=500) by host
  3. Click SEARCH.

This query incorporates several techniques all in a single countif function. First and foremost you'll recognize everything before | limit to be our scope where we have identified that we want to return all Apache access_combined events from the cribl_search_sample S3 dataset.

Following the | limit 100000 which ensures we return a maximum of 100,000 results, we have | summarize which denotes that we are now using the summarize operator. As a part of the summarize operator, we make use of the countif function info=countif(status<200) which will count all events that have a status field with a value under 200 and assign that count to a new field called info.

To use more than one function within an operator, additional functions should be separated by , commas. As you see, we can repeat this as many times as we need until all the status codes are accounted for. Lastly, we have by host which aggregates the counts on a per-host basis.

Using summarize to perform aggregation and calculations we have turned our results into something that we can now interpret meaningfully.

Eventstats

The eventstats operator uses functions and aggregates events similar to the summarize operator with a one key distinction. The eventstats operator adds the result of the aggregation as a new field to the source events. To see this in action, let's use our last search and change the summarize operator to the eventstats operator and see how the results change.

important
  1. Clear the query box.
  2. Enter the following query: 
    dataset="cribl_search_sample" dataSource="access_combined" 
    | limit 100000 
    | eventstats info=countif(status<200), success=countif(status>=200 and status<300), fail=countif(status>=300 and status<500), epic_fail=countif(status>=500) by host
  3. Click SEARCH.

As you can see, we are no longer viewing results as a table on the Chart tab of the results pane. We are now viewing unaggregated events on the tab of the results pane. Each of the fields that we calculated in the previous search is still being calculated, but now they are added as a new field to each event. This is very useful if there is some context that you require at an event level that can only be calculated when aggregated.

Timestats

Another operator that is useful for reporting is the timestats operator. Like the summarize and eventstats operators, timestats aggregates events based on...you guessed it, time. This is really handy for when you want to create line and area charts.

It's about time
  1. Clear the query box.
  2. Enter the following query: 
    dataset="cribl_search_sample" dataSource="access_combined"
    | limit 100000
    | timestats count() by status
  3. Click SEARCH.

For our first example, we have a simple implementation of the timechart operator that shows a count for each http status code for each bucket of time. Each status code is repreented by its own colored column in the table and line/bar/area in the chart.

We can also leverage timechart for more complex calculations.

It's about time
  1. Clear the query box.
  2. Enter the following query: 
    dataset="cribl_search_sample" dataSource="access_combined"
    | limit 100000
    | timestats info=countif(status<200), success=countif(status>=200 and status<300), fail=countif(status>=300 and status<500), epic_fail=countif(status>=500)
  3. Click SEARCH.
tip

Click the brush brush-icon icon to change the chart type to a more appropriate chart such as a line or area chart.