Deep Investigations (Preview)
Preview Feature
Cribl is still developing this Preview feature. We don’t recommend using it in a production environment, because the feature might not be fully tested or optimized for performance, and related documentation could be incomplete.
Please continue to submit feedback through normal Cribl support channels, but assistance might be limited while the feature remains in Preview.
Deep Investigation Mode is an opt-in investigation experience that structures your analysis around hypotheses. Instead of an open-ended conversation, Cribl Search proposes a set of hypotheses, you select the ones you want to pursue, and the AI validates each one sequentially – running queries, gathering evidence, and building toward a structured conclusion.
Before You Begin
- AI must be enabled in your organization.
- The Search Investigations setting must be active in Global Settings > AI Settings.
- A paid, active Cribl Search subscription or billing plan is required.
Enable Deep Investigation Mode
Deep Investigation Mode is off by default. To enable it:
- Open an investigation from the Search Home page: select Run Investigation.
- In the Investigations toolbar, select the Deep Investigation Mode toggle.
The toggle state is saved and persists across page reloads. To return to standard investigation mode, toggle it off.
How the Workflow Differs from Standard Investigations
Standard investigations use a free-form conversation model. Deep Investigations use a structured state machine that progresses through the following phases:
- Establish a goal: Describe a scenario, select a recent incident, or browse external context. Cribl Search infers and records the investigation goal.
- Identify data sources: Cribl Search selects up to five relevant Datasets and examines their schema and field statistics. If Dataset Intelligence is enabled on a Dataset, that context is used automatically.
- Select hypotheses: Cribl Search proposes a list of hypotheses for you to review. Select the ones you want to investigate. You can also add your own.
- Validate hypotheses: Cribl Search validates each selected hypothesis strictly one at a time, in the order selected. During this phase, the chat thread stays quiet while Cribl Search runs queries and updates progress in the background.
- Review the summary: When all hypotheses have a terminal status, Cribl Search presents a structured investigation summary with findings, a conclusion, and terminal action buttons.
View the Investigation Graph
The Investigation Graph is a visual map of the investigation that updates as Cribl Search progresses.
To open it, select Map in the Investigations toolbar.
The graph displays the following nodes:
- System Alert: Shown when the investigation was started from an alert.
- Investigation Goal: The goal statement inferred from your input.
- Context Discovery: With a sub-node for each data source identified as relevant.
- Hypotheses: With a sub-node for each hypothesis selected.
- Conclusion: The overall outcome after all hypotheses reach a terminal status.
Select any hypothesis node to open the Hypothesis Drawer, which shows the hypothesis details, evidence gathered, and the Disregard option.
Hypothesis Statuses
Each hypothesis moves through a set of statuses during the investigation:
| Status | Meaning |
|---|---|
| Enqueued | Selected and waiting to be investigated |
| Investigating | Currently being validated |
| Confirmed | Evidence strongly supports the hypothesis |
| Inconclusive | Evidence is partial or ambiguous |
| Unlikely | Evidence contradicts the hypothesis |
| Failed | Investigation could not gather sufficient evidence |
| Disregarded | Dismissed by you before or during investigation |
All statuses except Enqueued and Investigating are terminal – the investigation does not revisit a hypothesis once it reaches a terminal status.
Disregard a Hypothesis
You can dismiss a hypothesis at any time during the investigation.
- In the investigation toolbar, select Map to open the Investigation Graph.
- Select the hypothesis node you want to dismiss.
- In the Hypothesis Drawer, select Disregard.
A disregarded hypothesis is marked terminal immediately. Cribl Search will not run further queries for it. It is still noted in the investigation summary so your findings remain accurate.
Finish the Investigation
When every hypothesis has a terminal status, Cribl Search presents the investigation summary. From the summary, you can:
- Save to Notebook: Builds a Notebook containing the AI-generated summary, the queries run, key results, and recommendations. See Notebooks for details.
- Dig deeper into findings: Returns to the investigation to continue exploring.
- End investigation: Closes the investigation session.
Your session is saved automatically throughout. To return to this investigation later, select Copilot Sessions in the Investigations toolbar. See Saved Sessions for details.