Get Data Into Cribl Search
Send your events to Cribl-hosted lakehouse engines to keep it ready for fast investigations.
Highlights
- Ingest data directly into Cribl Search, auto-parsing events as they arrive.
- Run high-speed searches and precisely scoped AI investigations.
- Auto-scale storage with retention rules fine-tuned for different kinds of data.
Ingest Data to Run Fast, Schema-Aware Searches
Next to running federated queries on external storage, Cribl Search can also store your data in lakehouse engines. Use them for:
- High-speed search on fresh data for day-to-day investigations and incident response.
- Deeper AI-powered analysis, with structured data that makes exploration faster and more precise.
- Tight cost control through fixed-size engines and per-Dataset retention.
1. Add a Lakehouse Engine
Create a lakehouse engine first. It provides the storage and compute layer for ingested data.
Choose an engine size based on your expected daily ingest. Adjust over time as needed.
See Lakehouse Engines in Cribl Search to add an engine, choose a size, and estimate costs.
2. Connect Sources
With the engine ready, connect one or more Sources and start sending events.
Use Cribl Search Sources to choose the Source type and follow setup instructions for your sender.
3. Shape and Filter with Datatyping Rules
Datatype rules control how incoming events are parsed and labeled.
Start with Auto-Datatyping, then add targeted rules for uncategorized events, or add custom Datatypes. See Shape Data with Datatype Rules.
4. Organize and Control Retention with Dataset Rules
Dataset rules route parsed events into the right Search Datasets.
Use them to split data by Source, Datatype, or other fields, then set retention per Dataset. See Organize Data with Dataset Rules.
5. See Live Data Flow
Confirm that data arrives, parses, and routes as expected. See See Live Data Flow.