On This Page

Home / Search/Explore Your Data Before Running a Search

Explore Your Data Before Running a Search

Explore your data in Cribl Search to understand what is in a Dataset before you write a query. View dataset-level and field-level statistics, plus usage history, so you can quickly decide which Dataset to use and how to query it.

Dataset-level Statistics

Some statistics may take a short time to appear after data ingestion begins.

  1. In Cribl Search, go to Search Home.
  2. In the Available Datasets area, find the Dataset you want to explore.
  3. Select the Dataset name to open its details. You will see top-line Dataset statistics, field statistics, and (where available) usage history and saved content.

Use the top section of the Dataset details page to answer: “Do I have the right data, and for what period?”

  1. In the time window control, choose a range (for example, 1 day, 7 days, 30 days (default), or 1 year).
  2. Review the Dataset profile for that window:
    • Total event count
    • Total data size (for example, in GB or TB)
    • Earliest event time and Latest event time (how far back the data goes and how fresh it is)
    • Volume trend chart (events or size over time) to spot spikes, drops, or gaps

These metrics tell you whether the Dataset has data for the period you care about, has continuous coverage (no obvious gaps), and is growing or changing in ways that might matter for your investigation.

Field Statistics

Use the Fields section to see how data is structured and which fields are worth using in filters, group-bys, and aggregations.

Fields Table

For the selected time window, the table lists each field with:

  • Name: Field name as you will reference it in queries.
  • Type: String, numeric, boolean, object/array, and so on.
  • Presence (%): Percentage of events in the window that contain the field.
  • Distinct values: Rough count of unique values.
  • Null / empty values: Counts of events where the field is present but null or empty.

This helps you spot high-presence fields that are safe to use in filters and joins, find low-cardinality fields that make good group-by dimensions, and identify fields with many null or empty values that may not be reliable.

Drill into a Field

  1. In the Fields table, select a field name (for example, source_ip or clientip.)
  2. Review the field details, such as top values over the selected time window and distribution metrics (for example, min/max/average for numeric fields.)
  3. To use a value in a query, select a top value to add it to the query builder, or use the Add field to search action (if available) to inject field == value into your search.

This workflow replaces trial-and-error profiling searches with guided field exploration.

Usage Statistics

Data Explorer shows how a Dataset is being used so you can focus on popular and active data sources first.

Typical usage metrics include:

  • Search count: How many searches have run against this Dataset in a recent period (for example, last 30 days).
  • Search trend: How that activity changes over time.
  • Last queried time: When someone last ran a search on the Dataset.
  • Unique user count: How many distinct users have queried it. Use these signals to prefer Datasets with higher search counts and recent last queried timestamps when you are new to an environment, and to de-prioritize Datasets that see little or no usage unless you have a niche use case.

Search History and Saved Content

Once you have confirmed the Dataset is relevant, use its history to avoid starting from a blank query.

Search History

  1. In the Dataset details view, open the Search History section or tab.
  2. Browse recent queries that other users ran against this Dataset.
  3. Select a query to open it in the search UI over the original time range, or copy the query text and adapt it for your use case.

This is especially useful for onboarding new analysts: copy, tweak, and run instead of inventing everything from scratch.

Tips and Limitations

  • Lakehouse Datasets first: Data Explorer’s profiling and usage stats focus on Lakehouse Datasets. Federated Datasets may not expose the same level of detail.
  • Freshness vs. cost: More detailed or longer-range stats can be more expensive to compute. If a very long time window feels slow, narrow the range to speed up exploration.
  • New Datasets: If you just started sending data to a Dataset, give it time for statistics to show up, especially for multi-day views.
  • Permissions: Data Explorer respects existing access controls. Dataset details, search history, and saved content are only visible if you are allowed to see them.