Cribl Search Notebooks (Preview)
Combine searches, visualizations, and notes into a single collaborative document.
Preview Feature
This Preview feature is still being developed. We do not recommend using it in a production environment, because the feature might not be fully tested or optimized for performance, and related documentation could be incomplete.
Please continue to submit feedback through normal Cribl support channels, but assistance might be limited while the feature remains in Preview.
Why Use Notebooks
A Notebook is a document-like workspace in Cribl Search where you and other data analysts can combine search queries, data visualizations, and Markdown notes into persistent, shareable investigations. Here’s what you can do with Notebooks:
- Reiterate: Run and maintain multiple searches next to one another, for faster, more-efficient investigations.
- Annotate: Add context and clarity with markdown notes for rich storytelling.
- Collaborate: Share your work through fine-grained edit or read-only access.
- Control: See who last edited your Notebook, and when.
- Summarize: Use Cribl Copilot to generate summaries of your findings, and to run queries from natural-language prompts.
Start working with Notebooks from anywhere in Cribl.Cloud: On the top bar, select Products > Search > Notebooks.
What’s in a Notebook
A Notebook consists of search cells and note cells.
When a Notebook is shared, Maintainers can add and edit cells, drag cells up and down, and clone the Notebook. Read Only users can view the cells and their results. Read more about Notebooks access.
Start a New Notebook
You can create an empty Notebook, and then add searches and notes as needed.
- Go to the Notebooks page in Cribl Search: On the top bar, select Products > Search > Notebooks.
- Select Add Notebook. Your new Notebook opens and gets autosaved.
- Start running searches and adding notes.
You can start a Notebook from a search you just ran.
- Start running your search from Search Home.
- Select the Actions drop-down, and select Add to Notebook.
- Enter the Notebook name.
- Enter the Cell title. This will be the name of the search cell in your Notebook.
- Select Add & Go to Notebook.
You can turn any saved search (as long as it’s not part of a Pack) into a Notebook search cell, creating a new Notebook.
- Go the Saved Searches page in Cribl Search: On the top bar, select Products > Search > Saved Searches.
- Select the Actions button to the right of a search, and select Add to Notebook.
- Enter the Notebook name.
- Enter the Cell title. This will be the name of the search cell in your Notebook.
- Select Add & Go to Notebook.
You can turn any search kept in History into a Notebook search cell, creating a new Notebook.
Go the History page in Cribl Search: On the top bar, select Products > Search > History.
Select the Actions button to the right of a search, and select Add to Notebook.
Enter the Notebook name.
Enter the Cell title. This will be the name of the search cell in your Notebook.
Select Add & Go to Notebook.
Add Searches to Your Notebook
You can run multiple new searches directly from your Notebook. You need to be the Notebook Maintainer for this.
- Open an existing Notebook or create a new one.
- At the bottom of the Notebook, select New Search. A cell with a query box opens.
- Run your query, as you would anywhere else in Cribl Search. To learn how, see some quick examples, or this tutorial: Write Your First Query. If your Organization has Cribl Copilot enabled, you can also use your search cells to run natural-language queries.
- To add another query, select New Search again. You can start another search while the first one is still running.
Alternatively, you can create a new search cell by selecting a field within a field summary or event details drawer, and then selecting Add field to new cell from the resulting context menu.
You can add a search you just ran to an existing Notebook. You need to be the Notebook Maintainer for this.
- Start running your search from Search Home.
- Select the Actions drop-down, and select Add to Notebook.
- Select Use Existing.
- Select the Notebook.
- Enter the Cell title. This will be the name of the search cell in your Notebook.
- Select Add & Go to Notebook.
You can turn any saved search (as long as it’s not part of a Pack) into a Notebook search cell, adding it to an existing Notebook. You need to be the Notebook Maintainer for this.
- Go the Saved Searches page in Cribl Search: On the top bar, select Products > Search > Saved Searches.
- Select the Actions button to the right of a search, and select Add to Notebook.
- Select Use Existing.
- Select the Notebook.
- Enter the Cell title. This will be the name of the search cell in your Notebook.
- Select Add & Go to Notebook.
You can turn any search kept in History into a Notebook search cell, adding it to an existing Notebook. You need to be the Notebook Maintainer for this.
- Go the History page in Cribl Search: On the top bar, select Products > Search > History.
- Select the Actions button to the right of a search, and select Add to Notebook.
- Select Use Existing.
- Select the Notebook.
- Enter the Cell title. This will be the name of the search cell in your Notebook.
- Select Add & Go to Notebook.
Add Notes to Your Notebook
You can add markdown-formatted notes to your Notebook using headings, lists, links, and more. See Markdown Guide for basic syntax.
You need to be the Notebook Maintainer for this.
- Open an existing Notebook or create a new one.
- At the bottom of the Notebook, select Add Note. A new note cell opens.
- Write your notes using markdown. The Notebook gets autosaved.
Summarize Your Notebook With Cribl Copilot
If your Organization has Cribl Copilot enabled, you can generate an AI summary of your Notebook findings.
- Open an existing Notebook or create a new one.
- In the top-right corner, select Summarize.
A summary of your Notebook appears in a new note cell at the top of the Notebook. You can edit the summary as needed.
Customize Notebook Display
To make your Notebook easier to skim, you can manage how much detail the Notebook displays. In the top-left corner of each cell, a Collapse/Expand toggle enables you to reduce the cell’s vertical depth to a summary view.
In the top-right corner of the Notebook itself, the Actions
drop-down provides two toggles to manage the appearance of the whole Notebook:
Select Collapse All Cells or Expand All Cells to control the vertical spread of all cells at once.
Select Wide Layout or Default Layout to control the horizontal width available for Notebook contents.
Export Notebook Search Results
You can export the results of a Notebook search as a CSV or NDJSON file.
- Open an existing Notebook or create a new one.
- In a search cell, select the Actions
button.
- From the drop-down, select Export as, and then either Export Results as CSV or Export Results as NDJSON.
Export a Notebook Chart
You can export a Chart contained in a Notebook search cell, as a JPG or PNG file.
- Open an existing Notebook or create a new one.
- In a search cell, select the Actions
button.
- From the drop-down, select Export as, and then either Export Chart as JPG or Export Results as PNG.
Share Your Notebook
You can allow others to view or edit your Notebook at any time. For example, you might want to:
- Invite colleagues to join the investigation and contribute their expertise.
- Let others retrace your steps and pick up where you left off.
- Tell the full story behind your analysis, so stakeholders can understand how you reached your conclusions and review any assumptions you made.
You can share a Notebook with other Members or Teams. You need to be the Notebook Maintainer for this.
- Open an existing Notebook or create a new one.
- In the top-right corner, select the Share button. Now, you can see who has access to the Notebook and at what level.
- Search for the Members or Teams you want.
- Select the access level (Read Only or Maintainer). For details, see Notebooks Access.
- Confirm with Add Access.
Notebooks Access
By default, your Notebooks are available to you, Search Admins, Organization Admins, and Organization Owners.
| Search Member Type | Create Notebooks | List Notebooks | Delete Notebooks |
|---|---|---|---|
| Search Editor | ✓ | Only own or shared | Only own or shared |
| Search User | ✓ | Only own or shared | Only own or shared |
| Search Admin | ✓ | ✓ | ✓ |
| Organization Admin | ✓ | ✓ | ✓ |
| Organization Owner | ✓ | ✓ | ✓ |
When you share a Notebook, you can assign one of two access levels: Read Only or Maintainer. Here’s what each level allows:
| Action | Read Only | Maintainer |
|---|---|---|
| View the Notebook | ✓ | ✓ |
| View Results | ✓ | ✓ |
| Export Results | ✓ | ✓ |
| Open in Cribl Search | ✓ | ✓ |
| Rerun cells | ✓ | |
| Add cells | ✓ | |
| Edit cells | ✓ | |
| Delete cells | ✓ | |
| Share the Notebook | ✓ | |
| Lock or unlock the Notebook | ✓ | |
| Delete the Notebook | ✓ |
Synchronize or Lock Edits
As a Notebook creator, or with a Maintainer or higher Permission: When you save changes to a Notebook, a pop-up will alert you to any changes that other collaborators have made since your last save. In this read-only state, you will be required to reload the Notebook before saving.
You also have the option to lock a shared Notebook into a read-only state for other collaborators (as well as yourself). This is useful if you need to freeze a completed investigation’s results, to preserve their integrity against further changes.
In the Actions
drop-down at the top-right corner of the Notebook, select the Lock Notebook toggle to preserve the current Notebook state. Select Unlock Notebook to make the Notebook editable again.
Notebooks Retention
Notebooks have a hard-coded 30-day retention period to facilitate extended investigations. Exceeding the Search history job limit will cause other jobs to be removed before Notebook jobs, to respect this extension.