Meet Cribl Search

All the docs to     goat you started with Cribl Search.

Cribl Search helps you search, explore, and analyze machine data – logs, instrumentation data, application data, metrics, etc. – in place without first moving it to specialized storage. It can do so with data residing on Cribl Edge or in a data lake such as Amazon S3.

Cribl Search is offered as a service via Cribl.Cloud. Your data can reside anywhere – in the public or private cloud, on-prem, etc.

Cribl Search is built for administrators, managers, and users of operational/DevOps and security intelligence products and services.

Let’s see a basic search:

  1. Type a common log term in quotes, like “get”, in the search query box.
  2. Press Enter/Return or click the Search button.
  3. Results containing the search term are returned in the Events tab below the histogram.
Term search
Term search

Concepts

Learn the basic concepts of Cribl Search.

Datasets

Datasets are a way to organize and reference a set of data. Think of a dataset as a definition that describes WHAT we need to query or a “container” of some data.

A dataset may contain information about the path(s) that need to be queried for specific data at a specific source, such as a filesystem, an S3 bucket, or an Edge worker. For example, a dataset named myVPCFlowlogs contains Amazon VPC Flow logs and is referenced as dataset=myVPCFlowlogs in a query.

Data is broken into discrete events and searchable fields by assigning Datatypes to a dataset.

Dataset Providers

A dataset provider is a concept that the system uses to categorize datasets using specific interfaces to external systems. Think of a provider as a definition that describes WHERE we need to send the query. A dataset provider can contain connection information required to obtain the data, such as API keys or secrets.

Searches

A search is a query request that is used to process data in place and return results. The request is a plain-text string composed of multiple operators separated by a pipe: |. For example, the search dataset=myVPCFlowlogs | limit 1000 will retrieve data from the dataset myVPCFlowlogs and return up to 1,000 results. See Search Page Overview for further details.

Operators and Functions

As data is passed through a search, it is handled by operators that process the data based on functions. For example, in this search dataset=myVPCFlowlogs | summarize count() by srcport the summarize operator will aggregate all events in the dataset myVPCFlowlogs. The count() function will count the number of events, and the by clause will group them by srcport values.

Commands and Statements

Commands are simple instructions you can type right in the query box. They’re designed primarily for administrators, and help them manage search jobs or learn more about the organization’s datasets. Commands always start with a period ., for example: .show running queries.

Statements help you build more readable and efficient searches. Use let statements to give names to expressions or entire queries, and then reference those names in the context of the same search, which in turn allows you to join datasets. The set statement, on the other hand, lets you configure advanced search options.

Last updated by: Dritan Bitincka