Stay organized with collections
Save and categorize content based on your preferences.
window.first
window.first(values_to_sort_by, values_to_return)
Description
This aggregation function returns a string value derived from an event with the lowest correlated int value in the match window. An example use case is getting the userid from the event with the lowest timestamp in the match window (earliest event).
Param data types
INT, STRING
Return type
STRING
Code samples
Get a string value derived from an event with the lowest correlated int value in the match window.
// This rule sets the outcome $first_event to the lowest correlated int value
// in the 5 minute match window.
events:
$e.user.userid = $userid
match:
$userid over 5m
outcome:
$first_event = window.first($e.metadata.timestamp.seconds, $e.metadata.event_type) // yields v1 if the events in the match window are 1, 2 and 3 and corresponding values v1, v2, and v3.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-14 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-14 UTC."],[[["\u003cp\u003e\u003ccode\u003ewindow.first\u003c/code\u003e is an aggregation function that retrieves a string value from an event with the lowest correlated integer value within a defined match window.\u003c/p\u003e\n"],["\u003cp\u003eThis function is useful for scenarios like identifying the user ID from the earliest event in a time window.\u003c/p\u003e\n"],["\u003cp\u003eThe function takes two parameters: an integer value to sort by, and a string value to return.\u003c/p\u003e\n"],["\u003cp\u003eIt operates within a match window, such as a 5-minute timeframe, defined by a rule.\u003c/p\u003e\n"],["\u003cp\u003eThe return type of the \u003ccode\u003ewindow.first\u003c/code\u003e function is \u003ccode\u003eSTRING\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["### window.first\n\nSupported in: \n[Rules](/chronicle/docs/detection/default-rules) \n\n window.first(values_to_sort_by, values_to_return)\n\n#### Description\n\nThis aggregation function returns a string value derived from an event with the lowest correlated int value in the match window. An example use case is getting the userid from the event with the lowest timestamp in the match window (earliest event).\n\n#### Param data types\n\n`INT`, `STRING`\n\n#### Return type\n\n`STRING`\n\n#### Code samples\n\nGet a string value derived from an event with the lowest correlated int value in the match window. \n\n // This rule sets the outcome $first_event to the lowest correlated int value\n // in the 5 minute match window.\n events:\n $e.user.userid = $userid\n match:\n $userid over 5m\n outcome:\n $first_event = window.first($e.metadata.timestamp.seconds, $e.metadata.event_type) // yields v1 if the events in the match window are 1, 2 and 3 and corresponding values v1, v2, and v3."]]
