Run Investigations with Cribl Search (Preview)
Investigate incidents with AI guidance and capture your findings in one workspace.
Preview Feature
Cribl is still developing this Preview feature. We don’t recommend using it in a production environment, because the feature might not be fully tested or optimized for performance, and related documentation could be incomplete.
Please continue to submit feedback through normal Cribl support channels, but assistance might be limited while the feature remains in Preview.
The Cribl Search investigations page provides a guided workspace for investigations or explorations in your data using natural language. Cribl Search helps you analyze telemetry data, identify patterns, and document findings without manually building every query.
From this page, you can start a new investigation, explore datasets, or (coming soon) resume prior work.
Before You Begin:
- Ensure you have a paid, active Cribl Search subscription or billing plan.
- Enable investigations in Global Settings > AI Settings.
- Use the Generic HTTP API to connect Cribl Search investigations (Preview) to external context.
Choose How to Start
From the Search Home page, select Run Investigation. The Cribl Search investigations page opens.
You can start by describing a scenario in the prompt box or by selecting a starting scenario card. Cribl Search will prompt you for more context.
From a Specific Incident
Begin with a specific alert or known issue. Use this option when you already have a starting point (for example, an alert from Cribl or another monitoring tool). Cribl Search guides you through exploring relevant data.
Choose Select from recent incidents (for example, from FireHydrant). Cribl Search shows a list of recent incidents; select one (for example, “Credit Card Processing Outage”).
Explore Your Data
Start an open-ended exploration of your Datasets. Use this option to look for anomalies, trends, or unexpected patterns. Cribl Search helps identify relevant fields and suggests follow-up queries. Ideal for exploratory analysis or hypothesis development.
Example: “Help me investigate errors in system X over the past 2 days and suggest likely root causes and fixes.”
Resume a Prior Investigation (Coming Soon)
Extend or revisit an existing Notebook-based investigation. Resume previously documented findings and continue analysis while maintaining context. This feature is not yet available.
Refine and Extend the Investigation
Run the First Step
Choose a suggested step (for example, “Select from recent incidents” or “Review recent logs for service X”). Cribl Search:
- Generates the KQL query.
- Runs it against the selected dataset(s).
- Shows query text, a result preview, and a short natural-language summary.
Pull in External Context
If your organization has external providers configured (for example, FireHydrant, Jira, Bitbucket, Slack), you can ask Cribl Search to:
- “Search Jira for items linked to this incident.”
- “Find the Bitbucket PR mentioned in Jira ticket AI-2676.”
- “Summarize messages from the incident Slack channel around the outage time.”
Cribl Search runs dataset-backed queries (for example, dataset=jira_dataset ..., Bitbucket audit logs) and summarizes what it finds.
Use the Generic HTTP API to connect Cribl Search investigations to external context.
Refine and Correlate
Ask questions such as: “Is there any relationship between the Next.js version in this PR and the error seen in the credit card processing logs?” Cribl Search correlates fields across datasets and explains the link in plain language (for example, version mismatch causing the incident).
Create a Notebook
When you are satisfied with the findings:
- In the investigation chat, choose Create Search Notebook or type “Create a notebook with all findings and actions.”
- Cribl Search builds a Notebook containing:
- An AI-generated summary of the investigation.
- The queries it ran.
- Key results and recommendations.
You can then share or extend this Notebook as a durable investigation artifact. For more details, see Notebooks.