Define how Cribl Search interprets raw data, so you can extract meaningful fields and search faster.

What’s a Datatype? ​

A set of rules that defines how Cribl Search processes incoming data into structured events.

If you’re ingesting data into a lakehouse engine, Auto-Datatyping can parse your data automatically.

Datatypes allow Cribl Search to:

• Recognize the type of the incoming data (for example, “AWS S3 server access logs”), and detect how it’s formatted (for example, JSON Array).
• Break events: Split raw input into discrete events.
• Parse fields: Turn event text into fields you can query.
• Extract time: Pull event timestamps to add the _time field to each event.
• Enrich data: Compute additional fields for schema mapping or other enrichment.

Datatypes add the relevant datatype field to each event (for example, datatype: "aws_s3_server_access_logs").

Example: AWS VPC Flow Log ​

Here’s how the aws_vpcflow v1 Datatype processes an AWS VPC Flow Log event:

2 123456789010 eni-0858304751c757b2e 31.200.171.164 22.109.125.129 58551 456 17 10824 352 1262332801 1262333301 ACCEPT OK

{
  "_raw": "2 123456789010 eni-0858304751c757b2e 31.200.171.164 22.109.125.129 58551 456 17 10824 352 1262332801 1262333301 ACCEPT OK",
  "_time": 1262332801,
  "datatype": "aws_vpcflow",
  "srcaddr": "31.200.171.164",
  "dstaddr": "22.109.125.129",
  "srcport": "58551",
  "dstport": "456",
  "action": "ACCEPT"
}

v1 and v2 Datatypes ​

Cribl Search features two Datatype models: older v1 Datatypes are gradually being replaced with the more efficient v2 Datatypes.

Learn more about each type:

• v1 Datatypes in Cribl Search
• v2 Datatypes in Cribl Search

As of Cribl Search 4.18.0, the two Datatype models compare as follows:

Stock and Custom Datatypes ​

Cribl Search ships with a wide range of stock Datatypes:

• List of Stock v1 Datatypes
• List of Stock v2 Datatypes

You can also:

• Create your own Datatypes.
• Export or import Datatypes through Packs.