On This Page

Home / Search/Investigate

Investigate

You can explore events, identify patterns, and document results directly within Cribl Search.

Cribl Search investigations (Preview)

Cribl Search investigations (a Preview feature) is a guided workspace where you can explore incidents and telemetry data using natural-language prompts. It helps you move from vague questions or active incidents to structured findings, while tracking the steps, queries, and summaries generated during the session.

What you can do:

  • Start from scratch - Begin with a specific incident or a described scenario and let Cribl Search identify relevant datasets and generate initial queries.
  • Explore - Ask questions in plain language. Cribl Search translates them to KQL, runs searches, and displays the query, results, and a short summary. For example: “Why are transactions slow?”, “Show failed login attempts from unusual locations.”, “What changed before this outage?”
  • Refine - Respond to Cribl Search’s suggested follow-up questions or ask your own to deepen the investigation. Cribl Search updates the underlying query while preserving context.
  • Enrich - Pull in related information from external systems such as Jira, Bitbucket, or Slack (when configured). Use the Generic HTTP API to connect Cribl Search investigations to external context.
  • Capture - Convert your session into a Notebook that preserves selected queries, results, and summaries as a shareable investigation artifact.

Investigations reduce the time and effort required to move from a question to actionable findings by:

  • Generating KQL queries from natural-language prompts.
  • Identifying relevant datasets and key fields automatically.
  • Running initial searches to establish context.
  • Suggesting logical next steps based on results.
  • Reducing repetitive tasks such as adjusting time ranges, switching datasets, or rewriting similar queries.

By automating common investigative steps and maintaining context throughout the session, Cribl Search lets analysts focus on interpreting results rather than building and rebuilding queries.

Notebooks

A Notebook is a document-like workspace in Cribl Search where you and other data analysts can combine search queries, data visualizations, and Markdown notes into persistent, shareable investigations.

You can start an investigation from a Notebook, or convert a Cribl Search investigation into a Notebook to preserve findings, share results, and continue your analysis in a structured format.

What you can do:

  • Iterate: Run and maintain multiple searches next to one another for faster, more efficient investigations.
  • Annotate: Add context and clarity with Markdown notes for rich storytelling.
  • Collaborate: Share your work through fine-grained edit or read-only access.
  • Control: See who last edited your Notebook, and when.
  • Summarize: Use Cribl Copilot to generate summaries of your findings and run queries from natural-language prompts.

For details, see Notebooks.