Get Data Into Cribl Search
Ingest data into Cribl Search lakehouse engines for schema-aware searches and precisely scoped AI investigations.
Highlights
- Send directly into Cribl Search, auto-parsing events as they arrive.
- First, add a lakehouse engine and Search Datasets within it. Then, connect your Sources.
- Parse with Auto-Datatyping or your own Datatype rules. Set Dataset rules to route the parsed events into the Datasets.
Lakehouse Engines Make Search Faster
Next to running federated queries on external storage, Cribl Search can also store your data in lakehouse engines.
Lakehouse engines keep your data hot for up to 10 years, with no storage tiering to manage. This allows for:
- High-speed search for day-to-day investigations and incident response.
- Deeper AI-powered analysis, with structured data that makes exploration faster and more precise.
- Tight cost control through fixed-size engines and per-Dataset retention.
You don’t have to use Cribl Stream, Edge, or Lake. You can ingest your data directly into Cribl Search.
Data Onboarding Overview
To ingest data into Cribl Search:
- Add a lakehouse engine.
- Create your Search Datasets.
- Connect your Sources.
- Set up Datatyping.
- Set Dataset rules.
- Start sending data.
1. Add a Lakehouse Engine
Create a lakehouse engine first. It provides the storage and compute layer for ingested data.
Choose an engine size based on your expected daily ingest. Adjust over time as needed.
See Lakehouse Engines in Cribl Search to add an engine, choose a size, and estimate costs.
2. Create Your Search Datasets
Prepare Search Datasets that you’ll later target with Dataset rules. This is where you set retention, from 1 day to 10 years, per Search Dataset.
See Create Search Datasets for planning guidance and step-by-step setup.
3. Connect Sources
With your lakehouse engine and Search Datasets ready, set up Sources in Cribl Search.
See Cribl Search Sources for end-to-end walkthroughs for each Source type.
4. Shape and Filter with Datatype Rules
Datatype rules control how incoming events are parsed and labeled.
Start with Auto-Datatyping. If needed, add new rules for uncategorized events, or create your own custom Datatypes.
See Shape Data with Datatype Rules.
5. Organize and Control Retention with Dataset Rules
Dataset rules route parsed events into your Search Datasets, so each event lands where its retention, investigation window, and access make sense.
See Organize Data with Dataset Rules.
6. Start Sending Data
Start sending events from your upstream sender. Confirm that data arrives, parses, and routes as expected, using the Live Data Flow.
See individual Cribl Search Sources tutorials to learn how to set up your client.
7. Search, Investigate, Visualize
Once your data is in Cribl Search, you can: