You can explore events, identify patterns, and document results directly within Cribl Search.

Cribl Search investigations (Preview) ​

Cribl Search investigations (a Preview feature) is a guided workspace where you can explore incidents and telemetry data using natural-language prompts. It helps you move from vague questions or active incidents to structured findings, while tracking the steps, queries, and summaries generated during the session.

What you can do:

• Start from scratch: Begin with a specific incident or a described scenario and let Cribl Search identify relevant Datasets and generate initial queries.
• Explore: Ask questions in plain language. Cribl Search translates them to KQL, runs searches, and displays the query, results, and a short summary. For example: “Why are transactions slow?”, “Show failed login attempts from unusual locations.”, “What changed before this outage?”
• Refine: Respond to Cribl Search’s suggested follow-up questions or ask your own to deepen the investigation. Cribl Search updates the underlying query while preserving context. In Deep Investigation Mode, you can select from a list of AI-generated hypotheses and have Cribl Search validate each one sequentially.
• Enrich: Pull in related information from external systems such as Jira, Bitbucket, or Slack (when configured). Use the Generic HTTP API to connect Cribl Search investigations to external context, or configure MCP Integrations to make external MCP server tools available to Cribl AI agents.
• Capture: From the investigation summary, select Save to Notebook to create a Notebook that preserves queries, results, and summaries as a shareable artifact. Your session is also saved automatically and accessible later from Copilot Sessions in the toolbar.

Investigations reduce the time and effort required to move from a question to actionable findings by:

• Generating KQL queries from natural-language prompts.
• Identifying relevant Datasets and key fields automatically.
• Running initial searches to establish context.
• Suggesting logical next steps based on results.
• Reducing repetitive tasks such as adjusting time ranges, switching Datasets, or rewriting similar queries.

By automating common investigative steps and maintaining context throughout the session, Cribl Search lets analysts focus on interpreting results rather than building and rebuilding queries.

Notebooks ​

A Notebook is a document-like workspace in Cribl Search where you and other data analysts can combine search queries, data visualizations, and Markdown notes into persistent, shareable investigations.

You can start an investigation from a Notebook, or convert a Cribl Search investigation into a Notebook to preserve findings, share results, and continue your analysis in a structured format.

What you can do:

• Iterate: Run and maintain multiple searches next to one another for faster, more efficient investigations.
• Annotate: Add context and clarity with Markdown notes for rich storytelling.
• Collaborate: Share your work through fine-grained edit or read-only access.
• Control: See who last edited your Notebook, and when.
• Summarize: Use Cribl Copilot to generate summaries of your findings and run queries from natural-language prompts.

For details on working in a Notebook, see Notebooks. For the Templates tab, reusable layouts, and sharing templates, see Notebook templates.

Deep Investigations ​

Deep Investigations (Preview) is an opt-in investigation mode that structures analysis around hypotheses. Cribl Search proposes potential root causes, you select which to pursue, and the AI validates each one sequentially using targeted queries and evidence gathering.

What you can do:

• Select hypotheses: Review AI-generated hypotheses and choose which to investigate.
• Track evidence: Each hypothesis is validated with targeted queries and evidence is recorded automatically.
• Map the investigation: View the investigation as a graph showing goals, data sources, hypotheses, and the conclusion.
• Disregard: Dismiss a hypothesis at any time. It is marked terminal and noted in the summary.

For details, see Deep Investigations (Preview).