Cribl AI is not available in Cribl.Cloud Government.

Cribl AI tools and capabilities help you streamline your work and maximize your productivity with Cribl products. Use ordinary language, or natural language, to get answers to product questions, perform advanced searches, create Pipelines, and more.

Cribl AI includes the following features:

• Chatbot: Answers common questions, helps troubleshoot issues in all Cribl products, and inspects your deployment configuration to answer questions about your environment.
• Copilot Editor: Helps you create and edit data transformation Pipelines.
• Background detection: Provides periodic alerts about sensitive entities detected in your data stream. Background detection runs locally using regex rules and a specialized named-entity-recognition (NER) model. It does not call out to a large language model (LLM).
• Analyze detections: Uses an agentic Guard workflow (LLM-driven) to review background detections, identify likely false positives or true positives, and recommend the next mitigation step. All recommended actions remain user-reviewed and auditable.
• Cribl Search agents guidance: Enables guidance for AI agents that interact with Search. You can edit the guidance in the search/agents.md file.
• Search investigations: Allows users to run interactive, AI-assisted investigations in Cribl Search.
• KQL assistant: Translates your natural-language queries into Kusto Query Language (KQL) in Cribl Search.
• Visualization assistant: Helps you create custom Chart and Dashboard visualizations in Cribl Search.
• Web search: Allows a Cribl agent to search the web for additional context when running Search Investigations.
• MCP integrations: Connects Cribl AI agents to external MCP servers, making third-party tools available during AI-assisted workflows. Currently, only Search investigations uses MCP integrations.

Enable or Disable Cribl AI Features ​

Cribl AI features are disabled by default. Users with Owner or Admin Permission can enable Copilot for all products and features. Enabling and disabling Copilot applies to all Members in a Workspace.

1. From Settings, select the Global tab, and then select AI Settings.
2. After carefully reading the privacy policy and applicable terms, select the button to enable or disable Cribl AI.
   When Cribl AI is enabled, you can enable or disable individual Cribl AI features.

When you enable Cribl AI, supported features use Cribl-managed providers by default. To route supported capabilities through your own provider instead, configure a Custom AI Provider.

You can also disable Cribl AI programmatically, using either of the following methods:

• In the file $CRIBL_HOME/local/cribl/ai.yml, change the disabled setting to true in the following schema:

   consent:
     id: <GUID>
     accepted: <true/false>
     initialized: <true/false>
   disabled: <true/false>

Copy

• In either the OS shell environment or when running the Cribl server, set the environment variable DISABLED_AI to true, with a command like DISABLED_AI=true ./cribl start

Both of these methods prevent Members from enabling Cribl AI via Settings.

Enable or Disable Specific AI Features ​

After you enable Cribl AI for your Workspace, you can choose which features are available to users.

1. From Settings, select the Global tab, and then select AI Settings.
2. In the AI Features section, use the toggles to enable or disable individual features.

The AI Features section includes the following groups:

• Core Functionality: Contains the Cribl Copilot chatbot toggle. This feature is enabled by default when you enable Cribl AI. Disabling this toggle hides the chatbot widget for all Workspace members without affecting any other Cribl AI features.
• Stream: Contains toggles for Stream-specific AI features.
• Search: Contains toggles for Search-specific AI features.

Changes you make on this page apply to all members of the Workspace who have access to the corresponding products and features.

Feature Availability ​

Cribl AI feature availability varies by deployment type.

Available in on-prem deployments:

• Copilot chatbot
• Copilot Editor
• Function assistance for Pipelines
• Copilot-generated commit messages
• Guard rule generation

Available in Cribl.Cloud:

All on-prem features, plus:

• KQL assistant
• Visualization assistant
• Search investigations
• Web search
• Cribl Search agents guidance
• Notebook summaries

To route supported features through your own AI provider instead of Cribl-managed models, see Custom AI Providers.

Frequently Asked Questions ​

Does Cribl AI have access to my Organization’s data?

Cribl AI does not have access to event data flowing through Cribl. The following features access limited query, configuration, or operational metadata to do their work:

• Cribl AI generates follow-up queries by looking at the last 50 queries (not their results), the current query, and field names from the last-used Dataset.
• The KQL assistant creates KQL queries from natural language by looking at any KQL query present in the search box, and at field names from the 10 last-used Datasets.
• The visualization assistant looks at your current Dataset to suggest ways to effectively display its data.
• Copilot Editor requires a single, user-selected sample event to assist in transformation logic.
• The Copilot chatbot can inspect your deployment configuration and live status, including Worker Groups, Sources, Destinations, Routes, Pipelines, system health, and similar metadata, when you ask about your environment. Sensitive values such as tokens, secrets, passwords, private keys, credentials, access keys, and Global Variable values are redacted before being sent to the AI model. For details, see Ask About Your Cribl Deployment.

Does Cribl use my data to train large language models (LLMs)?

No, Cribl does not use user data to train LLMs.

Does background detection use an LLM?

No. Background detection runs locally and uses regex rules in the Sensitive Data Scanner, plus a specialized named-entity-recognition (NER) model, not an LLM. It does not send sampled events to an external chat-completion service. The “background detection model” you select in Guard > AI Settings (for example, cribl-privacy, cribl-privacy-fast, or cribl-privacy-pro) refers to one of these local NER detection bundles, not an LLM.

LLMs are only used by the separate Analyze detections workflow, which runs after initial detection to help classify findings and suggest mitigations.