Commands
Run commands, and set-statement options, from the query box to manage searches.
Cribl Search supports the following commands:
.cancel– Stop queued, running, or all queued and running searches..clear options– Disableset-statement options..generate stats– Produce statistics about the results of a search..show objects– List the contents of a Dataset before you search it..show options– Viewset-statement options configured for your account..show queries– List queued, running, or all queued and running searches run by all users or specific users.
Basic Command Usage
Unlike functions and operators, commands start with a period. For example:
.show objectsHow commands work depends on your Search Member Permissions. For example, User Search Members can manage only their own searches, but Admin Search Members can manage the searches of all users in the organization.
You can combine commands with operators. For example, to show queued queries that were created more than 10 minutes ago:
.show queued queries
| where timeCreated < ago(10min)However, you can’t use commands in subqueries. For example, this won’t work:
// invalid example
let stage1 = .show objects(cribl_search_sample);For more transparency, you can provide a reason why you’re using a particular command. The reason will be added to the Cribl Search audit log. For example:
.cancel running queries with(reason = "Time is up.")Manage Searches with Commands
You can manage your or your users’ searches straight from the query box, using the following commands:
.show queries– View searches based on their IDs, status, or the users running them..cancel– Cancel queued or running searches.
View Searches
To display searches based on their IDs, status, or the users running them, use the .show queries
command.
User and Editor Search Members can view only their own searches. Admin Search Members can view the searches of all users in the organization.
To view all queued or running searches:
.show queriesTo view all queued searches:
.show queued queriesTo view searches that are being run by specific users:
.show running queries by user "Jane*"The results are not affected by the set time range.
Cancel Searches
To stop queued or running searches, use the .cancel command.
User and Editor Search Members can cancel only their own searches. Admin Search Members can cancel the searches of all users in the organization.
To cancel a specific search:
.cancel query "1693827597495.ji5y5g"To cancel searches that are queued or being run by specific users:
.cancel queries by user("John Doe", "Jane*")To cancel all currently running searches:
.cancel running queriesThe results are not affected by the set time range.
Manage Set-Statement Options with Commands
You can manage your or your users’ set-statement options straight from the query box, using the following
commands:
.clear options– Disableset-statement options..show options– Viewset-statement options configured for your account.
View Set-Statement Options
To see set-statement options configured for your account, use the
.show options command.
To view all options configured for you:
.show optionsTo view only those options that are not overridden by other settings:
.show active optionsDisable Set-Statement Options
To disable set-statement options, use the .clear options
command.
To disable all options configured for your own account:
.clear optionsAs an Admin Search Member, to disable all options for all users in the usage group:
.clear global options