View, rerun, and reuse past searches, saving time and resources.

Highlights

​

• Open History from the Cribl Search left sidebar to see searches run in the past.
• View and query cached result sets instead of running the same search again.
• Search Admins control how long searches are kept.

History Lets You Analyze and Reuse Past Searches

​

Every query you run is recorded in History, along with its details and result set. Reusing those records helps you avoid duplicate searches across your team, saving time and credits. Use search history to:

• View a past search without rerunning it.
• Rerun a query with the same settings to check for changes or to add it to a Dashboard or Notebook.
• View the cached results of a past search, query that result set, or reuse it in a new query.

Search Admins control how long searches are kept.

Search Admins see the history of all searches in the Cribl.Cloud Organization. Search Users and Editors see only their own searches and searches shared with them.

View Search History

​

From the Cribl.Cloud top bar, select Products > Search > History.

On the History page:

• Select the column selector to show or hide columns.
• Select …more to see search details.
• Select Actions to rerun a search, save it, search its results, or add it to a Dashboard or Notebook.
• Select the refresh icon to refresh the page.
• Filter for Scheduled searches at the top right. Scheduled searches show information about their latest executions. To see individual runs, select items.
• Select check boxes to mark searches for deletion.

For a quick look at recent searches without leaving Search Home, select the History tab below the query box.

Rerun a Past Search

​

Run a new search using the same query text and settings as a search run in the past.

1. From the Cribl.Cloud top bar, select Products > Search > History.
2. In a search row, select Actions .
3. Select Rerun.

In certain cases, you may find it faster and cheaper to query the result set or simply view the cached results.

View Cached Search Results

​

Load the cached results of a past search. This doesn’t consume any credits.

1. From the Cribl.Cloud top bar, select Products > Search > History.
2. Select a search row.

Cribl Search loads the search and its cached results, without rerunning the query.

Query the Result Set of a Past Search

​

Run a query on the results of a search run in the past. This doesn’t rerun the original query itself, but runs an actual search on the result set, so can lead to minor credit consumption.

1. From the Cribl.Cloud top bar, select Products > Search > History.
2. In a search row, select Actions .
3. Select Search the Results.

A new tab opens and runs a search on the result set, using the $vt_results virtual table. You can now modify the query for further analysis.

Reuse the Results of a Past Search in a New Query

​

When writing a query, reference the result set of a past search, using the $vt_results virtual table. This lets you treat the results as a regular Dataset.

This doesn’t rerun the original query itself, but runs an actual search on the result set, so can lead to minor credit consumption.

Get the ID of the search you’re interested in (you’ll find it in the search details), and use the jobId predicate:

dataset="$vt_results" jobId="1704236905683.wgocax"

You can also load the results of multiple searches at once, for example:

dataset="$vt_results"
 | where jobId > "1704236905600" and jobId < "1704236906000"

To reuse the results of a saved or scheduled search, add the search name by using the jobName predicate. This will load the results of the latest execution of the saved search. For example:

dataset="$vt_results" jobName="mySavedSearch"

// or, for example
dataset="$vt_results"
 | where jobName startswith "my"

To load a specific execution of a saved search, use the execution parameter, for example:

// load the last run of mySavedSearch (default)
dataset="$vt_results" jobName="mySavedSearch" execution = 0

// load the run before last
dataset="$vt_results" jobName="mySavedSearch" execution = -1

For more information and examples, see $vt_results.

Add a Past Search to a Dashboard or Notebook

​

Find a search run in the past and add it to a new or existing Dashboard or Notebook.

1. From the Cribl.Cloud top bar, select Products > Search > History.
2. In a search row, select Actions .
3. Select Add to Dashboard or Add to Notebook.

Manage Search History Retention

​

Search Admins set the retention limits for search history:

• How long to keep each search (Search history TTL).
• How many searches to keep in total (Search history job limit).

The job limit takes priority. Once it’s reached, the oldest searches are deleted regardless of their TTL.

To set these limits:

1. From the Cribl.Cloud top bar, select Products > Search > Settings > Limits.
2. Set the Search history TTL and Search history job limit. For details, see List of Configurable System Limits.

To override both limits for a specific scheduled search, use the Keep last executions setting.

Notebooks have a hard-coded 30-day retention period. Exceeding the Search history job limit will cause other jobs to be removed before Notebook jobs, to respect this extension.