Search Cribl Lake
Search your Cribl Lake data with Cribl Search.
Cribl Lake appears as a preconfigured Cribl Search Dataset Provider called cribl_lake. This enables you to use Cribl Lake Datasets as Cribl Search Datasets and instantly start searching them.
Search a Lake Dataset
To access Cribl Search: From your Organization’s top bar, select Products, then select Search. You can then query your Lake Datasets from Cribl Search.
Search a Lakehouse
You can speed up searching your Cribl Lake data by using a Lakehouse. Once a Lake Dataset is assigned to a Lakehouse, searches against that Dataset will run significantly faster – as long as the search’s whole range is contained within the Lakehouse’s retention period.
If a query covers a time period wider than the data stored in a Lakehouse, Cribl Search will normally fall back to performing a regular search with corresponding latency. However, if the Lake Dataset has a retention period shorter than the Lakehouse, Cribl Search will still accelerate the search.
Verify Lakehouse Use
To verify whether a search successfully used a Lakehouse, take a look at the tracking bar.
If the search failed to use a Lakehouse, the bar presents information about potential reasons. The reasons might include (as examples) the Lakehouse being disabled or misconfigured, or the query exceeding the time range of data stored in the Lakehouse.
Search Multiple Lakehouse Datasets
You can run a single query against multiple Lakehouse-assigned Datasets. For the query to execute at Lakehouse speed, all Datasets in the query must be Lakehouse-assigned, and your query must also meet one of these conditions:
Include only operators from the following group:
cribl,centralize,extend,extract,foldkeys,limit,mv-expand,pivot,project,project-away,project-rename,search, andwhere.Or, if you use any other operators, insert the
centralizeorlimitoperator before them. (Result counts will be further constrained by usage group limits.)
If neither of the above conditions is met, or if your query includes non-Lakehouse Datasets, the query will run at standard speed.
Cribl Search Differences with Lakehouse
Executing Cribl Search queries against a Lakehouse-assigned Dataset changes some behavior and results, compared to executing the same queries without Lakehouse caching. For details, see Lakehouse Search Differences.
Examples of Searching Cribl Lake
Use these examples as starting points for your own searches.
Basic Search into Cribl Lake
This search specifies the Dataset (test_dataset) and limits the number of results.
dataset="test_dataset"
| limit 100
Search Cribl Lake with a Partition
This search uses a Lake partition named sourcetype
that is configured for the partitioned Dataset to speed up retrieval:
dataset="partitioned" host="cribl-stream"
Export Cribl Search Results to Cribl Lake
The export operator lets you export Cribl Search results to a Lake Dataset.
You can later search this Dataset to extract relevant data from it.
An efficient way to search exported data is to provide the search job ID to the where operator:
dataset="exported_data"
| where source contains "1713177481843.9AOqxI"You can find the search job ID in search details after running it, or in the History tab, in the Search ID column.
You can also label exported events using the extend operator
and then include the added fields in your search.
For example, during export you can include the user that performed the search:
dataset="cribl_search_sample"
| extend user = user()
| export to lake exported_dataYou can then search for data by this user:
dataset="exported_data"
| where user == "John Doe"