cribl
The cribl operator finds specific events. It is the fundamental Cribl Search operator, and is implicit in queries that
do not specify an operator.
Syntax
[cribl] StringExpression ComparisonExpression [ BooleanOperator ] [ StringExpression | ComparisonExpression ]
Either a StringExpression or a ComparisonExpression is required.
Rules
criblis implicit. You don’t need to specify it in a query.- But to use
criblin a subquery, you must specify it. cribl, likefind, can be used to initiate a query expression.cribldoesn’t support functions (or any kind of expressions). For this, you need to use thewhereoperator.- Wildcards
*represent zero or more characters. - An escaped
\*represents a literal asterisk. cribldoesn’t support including both a wildcard*and a literal\*in the same query. To perform this type of search, you need to use thewhereoperator.criblinterprets both the==and=tokens as comparison (not assignment) operators.criblimplicitly matches against the_rawfield if you specify no field; otherwise, it matches against an extracted field.
Arguments
The cribl operator accepts a flexible range of arguments.
StringExpression
Case-insensitive string of characters. For example, "error" or error. To see if you can omit the double quotes "",
see Quotes in cribl Operator. Either a StringExpression or a
ComparisonExpression is required.
BooleanOperator
not, or, and, in that order of precedence. This order differs from other operators. Use parentheses () to
override this precedence.
Here, whitespace is equivalent to and. For example, foo and bar is the same as foo bar.
ComparisonExpression
Compare numbers, strings, and/or regular expressions; perform evaluations that evaluate to a boolean. Either a ComparisonExpression or a StringExpression is required.
Syntax: Key ComparisonOperator Value or Key in (ListOfValues) or TimeExpression
We break down these parameters below.
Key
This is a field name.
Comparison Operators in cribl
Formal comparison operators are =, ==, =~, !=, !==, >, >=, <, <=,
=~, and !~. (For comparisons against regex literals, we support only the ==,
=~, !=, and !~ operators.) See also String Operators
below.
| Operator | Description | Case-Sensitive | Wildcards | Regex | Examples | Wildcard Example | Regex Example |
|---|---|---|---|---|---|---|---|
Equal = or == | Returns true if the operands are equal. | No | Yes | Yes | 3 == var1"3" == var13 == '3' | foo == "abc*" | foo == /^abc.*xyz$/ |
Not equal != | Returns true if the operands are not equal. | No | Yes | Yes | var1 != 4var2 != "3" | foo != "abc*" | foo != /^abc.*xyz$/ |
Greater than > | Returns true if the left operand is greater than the right operand. | No | No | No | var2 > var1 "12" > 2 | ||
Less than < | Returns true if the left operand is less than the right operand. | No | No | No | var1 < var2"2" < 12 | ||
Greater than or equal to >= | Returns true if the left operand is greater than or equal to the right operand. | No | No | No | var2 >= var1var1 >= 3 | ||
Less than or equal to <= | Returns true if the left operand is less than or equal to the right operand. | No | No | No | var1 <= var2var2 <= 5 | ||
! | Unary inversion (NOT) – logical values only; string values are unsupported | No | Yes | Yes |
String Operators in cribl
The ComparisonOperator parameter also supports the following string operators.
| Operator | Description | Case-Sensitive | Wildcards | Regex | Example (yields true) | Regex Example |
|---|---|---|---|---|---|---|
in | Equal to any of the events | Yes | No | Yes | "abc" in ("123", "345", "abc") | foo in ("ye*ah", /^no.+way/i, 'whee') |
!in | Not equal to any of the events | Yes | No | Yes | "bca" !in ("123", "345", "abc") | foo !in ("ye*ah", /^no.+way/i, 'whee') |
in~ | Equal to any of the events | No | No | Yes | "Abc" in~ ("123", "345", "abc") | foo in~ ("ye*ah", /^no.+way/i, 'whee') |
!in~ | Not equal to any of the events | No | No | Yes | "bCa" !in~ ("123", "345", "ABC") | foo !in~ ("ye*ah", /^no.+way/i, 'whee') |
Value
This is a StringExpression.
ListOfValues
This is a comma-separated list of one or more StringExpressions. For example:(StringExpression, StringExpression, ...)
TimeExpression
Relative or absolute time range. Syntax: earliest=TimeString and/or latest=TimeString. earliest is inclusive >=,
while latest is exclusive <. The limit of earliest is 90 days (7776000 seconds) ago. See
time syntax for details.
RegularExpression
Regex literal. Syntax: /<regular expression>/<flags>. For syntax details, see Regex Examples,
Regex Flags, and Disambiguating Regex Characters.
ComparisonExpression Examples
foo=bar,foo23.4,bar42,foo!=bar*level in (INFO, DEBUG, ERROR)method in ("GET", "POST")earliest=-1h,latest=-42m,earliest=-42m@h latest=now,earliest=-2h@m latest=+2h@m,earliest=1700511360.123 latest=1700511420.123method == /ge*/imethod =~ /ge*|p.*t/imethod in ("GET", /^po.*/i)
(In the final example above, note that your ComparisonExpression can mix string and regex target values.)
Quotes in cribl Operator
You don’t need to enclose your StringExpression in double quotes "", as long as it’s made of the
following characters only:
a-zA-Z0-9$_*.-
If your StringExpression contains any other character, you do need to enclose it in double quotes
"", for example:
| Characters | Need quotes "" | Examples |
|---|---|---|
@ + - \ / ( ) [ ] | ✓ | "john.doe@whatever.com""/api/events" |
Space ( ) | ✓ | "test event" |
Keywords dataset, earliest, and latest | ✓ | "earliest=testEvent" |
a-z A-Z 0-9 | testEvent0 or "testEvent0" | |
$ _ * . - | us-* or "us-*" |
Cribl Search keywords, such as operator or function names, don’t need double quotes. The only the exceptions are
dataset, earliest, and latest.
To escape double quotes, use the backslash \, for example: "style=\"goatee\""
Time Syntax
The TimeString used for earliest and latest can be one of the following:
- A relative timestamp, expressed in the human-readable format described below. For example,
earliest=-3h. - An absolute timestamp, expressed in Unix time. For example,
earliest=1729290112.
For relative timestamps, use the following syntax:
[+|-]TimeNumberTimeUnit[@SnapToTimeUnit]
| Argument | Values Supported |
|---|---|
+ or - | Optional, defaults to now. Use - for times in the past, or + for times in the future. |
TimeNumber | A positive integer. |
TimeUnit | Unit of time. Supports s[econds], m[inutes], h[ours], d[ays], w[eeks], mon[ths], q[uarters], y[ears]. |
@SnapToTimeUnit | Optional. Append the @ modifier, followed by any of the above TimeUnits, to round down to the nearest instance of that unit. (See the next section for details.) |
For absolute timestamps, use the following syntax:
TimeNumber
| Argument | Values Supported |
|---|---|
TimeNumber | A Unix time value (number of seconds since 1 Jan 1970). Can be either whole seconds (for example, 1700511360) or fractional to express milliseconds (for example, 1700511420.123). |
SnapToTimeUnit Syntax
The @ snap modifier always rounds down (backwards) from any specified time. This is true even in relative time
expressions with + (future) offsets. For example:
@dsnaps back to the beginning of today, 12:00 AM (midnight) UTC.+128m@hlooks forward 128 minutes, then snaps back to the nearest round hour. (If you specified this in theLatestfield, and ran the Collector at 4:20 PM, collection would end at 6:00 PM. The expression would look forward to 6:28 PM, but snap back to 6:00 PM.)
Other options:
@wor@w7to snap back to the beginning of the week – defined here as the preceding Sunday.- To snap back to other days of a week, use
w1(Monday) throughw6(Saturday). @monto snap back to the 1st of a month.@qto snap back to the beginning of the most recent quarter – Jan. 1, Apr. 1, Jul. 1, or Oct. 1.@yto snap back to Jan. 1.
Examples
Simple term search over all events in the default Dataset:
"goats"Looking only for records that match both terms:
"goats" and ("climb" or "rock climb")Looking in the network field for “sector7”:
network in ("sector7")Looking in the region field for values that start with us-:
region in (us-*)Restricting the search to certain fields:
disk="f9" or process="index"Specific time limit:
earliest=-2h@h latest=-1h@minSearching Datasets that start with foo for specific terms and field values within a specified time range:
dataset=foo* (blocked or "access denied") method in (POST, GET) az !in (us-east*, us-west-2) host!=local* earliest=-2h@h latest=-1h@minReturn results that match “test event”.
dataset=$vt_dummy event<10
| extend _raw=iif(event%2>0, "This is a test event", "This is another event")
| cribl "test event"