Cribl Search Packs
Import, export, and share pre-built Cribl Search resources.
Why Use Packs
A Pack is a collection of preconfigured Cribl Search assets, such as ready-to-use Dashboards, saved searches, or lookup files. Packs can help you and your team get started faster, quickly see what Cribl Search is capable of, and easily move complex configurations across different environments.
What’s in a Pack
A Pack can contain any of the following resources:
A Pack can’t reference other Packs, but it can reference other resources within the same Pack. It can also reference global, non-Pack resources. For details, see Pack Dependencies and Packs Limitations.
Who Can Use Packs
Packs are available to Cribl Search Admins and Editors. For reference, see Search Member Permissions.
Admins and Editors can:
- View Packs installed in the Organization.
- Use a Pack’s resources, if the Pack is set to allow global access.
- Get new Packs from the Cribl Packs Dispensary, or import them from a file, URL, or Git repo.
- Modify existing Packs, including adding more resources, or modifying metadata.
- Create new Packs from scratch, using the Cribl Search UI.
- Share Packs, allowing access to Pack resources, or exporting a Pack to a file.
View Packs
To see Packs installed in your Organization, go to the Packs page in Cribl Search: On the top bar, select Products > Search > Packs.
The ID column shows each Pack’s ID, by which you can reference the Pack’s resources.
You can hover over an ID and select to copy it to the system clipboard.
Select a Pack to view the resources it contains. You can then switch among the upper tabs to view the Pack’s Dashboards, Saved Searches, Datatypes, Macros, and Lookups.
Use Packs
If a Pack is set to allow global access, you can use its resources similarly to any other resources in Cribl Search. For example, you can run saved searches included in the Pack, reference a Pack Macro in a query, or use a Pack lookup.
Use a Pack Macro
To use a Pack Macro from outside its Pack, make sure the Pack is set to
allow global access. Then, reference the Pack’s ID (packId) and the Macro’s ID (macroId), in the
following format:
${pack(packId).macroId}For example, to use myMacro residing in a Pack called cribl-sample-data:
${pack(cribl-sample-data).myMacro}Use a Pack Lookup
To use a Pack lookup from outside its Pack, make sure the Pack is set to allow global access.
Then, reference the Pack’s ID (packId) and the lookup’s ID (lookupId), in the following format:
lookup pack(packId).lookupIdFor example, to look for a common field in the event and in a lookupTable residing in myPack:
dataset=myDataset
| lookup pack(myPack).lookupTable on commonFieldUse a Pack Saved Search
To use a Pack saved search from outside its Pack, make sure the Pack is set to
allow global access. Then, reference the Pack’s ID (packId) and the saved search’s ID (savedSearchId), in
the following format:
packId.savedSearchIdUse a Pack Datatype
To use a Pack Datatype from outside its Pack, make sure the Pack is set to allow global access.
Then, reference the Pack’s ID (packId) and the Datatype’s ID (datatypeId), in the following format:
packId.datatypeIdGet Packs
As a Cribl Search Admin or Editor, you can install Packs in your Organization by importing them from the following sources:
You can also create a new Pack from scratch, or modify an existing Pack.
Add a Pack from Dispensary
The Cribl Packs Dispensary is a Cribl-hosted resource for you to find and share Packs. Cribl, our partners, and community users develop Packs and submit them to the Dispensary for easy sharing. Cribl tests submissions before publication, to ensure each Pack’s quality, security guardrails, and stability.
You can install Dispensary Packs as follows:
- Go to the Packs page in Cribl Search: On the top bar, select Products > Search > Packs.
- Select Add Pack > Add from Dispensary. The Packs Dispensary will open in a drawer.
- Using the drawer controls, browse or search for the Pack(s) you want. (You can filter for only Packs Built by Cribl.)
- Select any Pack tile to display its details page with its README. This will typically outline the Pack’s purpose, compatibility, requirements, and installation.
- To proceed, select Add Pack on this page.
- That’s it! You’ll see a banner confirming that the Pack is now installed.
Import a Pack from File
To import a new Pack, or an updated version of an existing Pack, from your local filesystem:
- Go to the Packs page in Cribl Search: On the top bar, select Products > Search > Packs.
- Select Add Pack > Import from File.
- Select the file to import.
- Optionally, give the Pack an explicit, unique New Pack ID. (For details about this option, see Upgrade a Pack.)
- Select Import to confirm the import.
When you import Packs that were exported in
mergemode, make sure to re-enter any required secrets to restore full functionality. This is necessary because Cribl Search deletes all encrypted fields during the export process, to ensure security and prevent the accidental sharing of sensitive information.
Import a Pack from URL
To import a Pack from a known, public or internal, URL:
- Go to the Packs page in Cribl Search: On the top bar, select Products > Search > Packs.
- Select Add Pack > Import from URL.
- Enter a valid URL for the Pack’s source. (This field’s input is validated for URL format, but not for accuracy.)
- Optionally, give the Pack an explicit, unique New Pack ID. (See Upgrade a Pack.)
- If the Pack matches an installed Pack’s Pack ID, confirm that you want to Overwrite the existing Pack.
- Select Import to confirm the import.
Import a Pack from Git
You can import a Pack from a known public or private Git repo.
- Go to the Packs page in Cribl Search: On the top bar, select Products > Search > Packs.
- Select Add Pack > Import from Git.
- Enter the source repo’s valid URL.
This field’s input is validated for URL format, but not for completeness or accuracy. When targeting a private repo, use the format:
https://<username>:<token/password>@<repo‑address>. Public repos need onlyhttps://<repo‑address>. - Optionally, give the Pack an explicit, unique New Pack ID. (See Upgrade a Pack.)
- If the Pack matches an installed Pack’s Pack ID, confirm that you want to Overwrite the existing Pack.
- Optionally, enter a Branch or tag to filter the import source using the repo’s metadata. You can specify a branch
(such as
main) or a tag (such as a release number like0.5.1). - Select Import to confirm the import.
Pack Dispensary GitHub Repo
A particularly useful public repo is the Cribl Pack Dispensary on GitHub. This repo was established prior to the Cribl-hosted Cribl Packs Dispensary site, and it is a place to collaborate on developing Packs prior to submitting them to the newer site.
You can install Packs directly from this repo using the Import from Git option. However, if you prefer, you can
click through to any Dispensary repo’s release page, download the corresponding .crbl file, and then
upload the file into Cribl Search.
Modify Packs
As a Cribl Search Admin or Editor, you can modify existing Packs:
Add a Resource to a Pack
You can fill a Pack with Dashboards, saved searches, Datatypes, Macros, and lookups.
For example, to add a Dashboard to a Pack:
- Go to the Packs page in Cribl Search: On the top bar, select Products > Search > Packs.
- Select the Pack you’re interested in. Use the search box to filter the list.
- From the Dashboards tab, select Add Dashboard to access the two options listed below:
- Add Existing: Opens an Add Existing Dashboards modal, where you can select one or more Dashboards that are available to you, and add them to this Pack. (The list displayed in this modal will, by design, omit Dashboards already included in the Pack.)
- Add New: Opens a New Dashboard modal, where you can configure a new Dashboard using the controls covered in Create a Dashboard.
For details on how to reference different types of Pack resources, see Pack Dependencies.
Delete a Pack Resource
To remove a Pack resource (Dashboard, saved search, Datatype, Macro, or lookup), you need to delete it from within its Pack.
For example, to delete a Pack Dashboard:
- Go to the Packs page in Cribl Search: On the top bar, select Products > Search > Packs.
- Select the Pack you’re interested in. Use the search box to filter the list.
- From the Dashboards tab, select the checkbox of the Dashboard to delete.
- Select Delete selected dashboards.
Modify a Pack’s Metadata
You can modify a Pack’s metadata, such as display name, version, description, and others.
- Go to the Packs page in Cribl Search: On the top bar, select Products > Search > Packs.
- Select the Pack you’re interested in. Use the search box to filter the list.
- Select the Pack Settings upper tab to expose two options on the left:
- README: Here, you can edit extended information about the Pack, including its purpose, requirements (prerequisites), and usage instructions.
- Settings: Here, you can update the Pack’s Display name, Version number, short Description, Author, and arbitrary Tags. You can also control access to the Pack.
- Save your changes.
Set a Pack’s Logo
We recommend adding a logo to each custom Pack, to visually distinguish the Pack UI from the surrounding Cribl Search UI (as well as from other Packs).
You can upload a .png or .jpg/.jpeg file, up to a maximum size of 2 MB and 350x350 px. Cribl recommends a
transparent image, sized approximately 280x50 px.
To set a logo for an existing Pack:
- Go to the Packs page in Cribl Search: On the top bar, select Products > Search > Packs.
- Select the Pack you’re interested in. Use the search box to filter the list.
- Go to Pack Settings > Display.
- Select Choose File to upload a new logo, and confirm.
Upgrade a Pack
To upgrade an existing Pack to a newer version:
- Go to the Packs page in Cribl Search: On the top bar, select Products > Search > Packs.
- Open the Actions
menu on a Pack’s row, and then select Upgrade.
When upgrading a Pack, we recommend that you:
- Initially, import the updated Pack with a new ID, and with a new Display name that includes the version number.
(For example,
Cribl Search Activity 0.5.) This enables you to review and adjust new behavior against currently–deployed configurations. - Do a side–by–side comparison of the previous and new versions of the Pack. Remember to review the new Pack’s README.
- If the Pack includes any user–modified versions of default Cribl Search Knowledge resources (for example, lookups): Be sure to copy the modified files locally for safekeeping, before upgrading the Pack. After you install the upgrade, copy those files back to the upgraded Pack, overwriting the default versions in the Pack.
- Test, test, and test!
- If you’re confident in the new version, you have the option to now overwrite the existing Pack, using the same ID.
- Commit and Deploy.
Overwrite a Pack
Each Pack that you install within a given Organization must have a unique ID. The ID is based on the internal configuration of the Pack – not on its Display name, nor on its parent file name. You cannot share an ID between two (or more) installed Packs.
If you import a Pack whose internal ID matches an installed Pack – whether an update, or just a duplicate – you’ll be prompted to assign a unique New Pack ID to import it as a separate Pack.
Alternatively, you have the option to Overwrite the installed Pack, reusing the same ID.
With the Overwrite option, the imported Pack completely replaces your existing Pack. We recommend creating a local backup copy of the existing Pack first.
If you’ve modified an installed Pack, Cribl Search will block the overwrite of the Pack, to prevent deletion of your locally created resources.
Create Packs
As a Cribl Search Admin or Editor, you can create a new Pack from scratch, using the Cribl Search UI.
You can also create new Packs by importing, modifying, upgrading, or overwriting existing Packs.
When adding resources to a Pack, learn about how Pack dependencies work.
Create a Pack from UI
You can create a new Pack from scratch, using the Cribl Search UI.
- Go to the Packs page in Cribl Search: On the top bar, select Products > Search > Packs.
- Select Add Pack > Create Pack.
- Enter the following details:
- Display name is an arbitrary, human-readable name to identify this Pack.
- Pack ID is required, and must be unique within your Cribl Search Organization.
- Version is required, and identifies this Pack’s own versioning.
- Description and Author are optional identifiers.
- Tags are optional, arbitrary labels that you can use to filter/search and organize Packs.
- If you want to allow global access to this Pack, check Allow global access. This will make all of the Pack’s resources visible and usable from anywhere in the current Workspace.
- Select Save.
- On the Packs page, select the new Pack’s row to open the Pack.
- Configure the resources you want to pack up, using the the standard Cribl Search controls for
Dashboards, saved searches, Datatypes, Macros, or
lookups. As you save changes in the UI, they’re saved to the Pack.
If you want to reference resources that reside outside the Pack, learn about how Pack dependencies work.
- Set the pack’s logo, to visually distinguish the Pack UI from the surrounding Cribl Search UI (as well as from other Packs).
Share Packs
As a Cribl Search Admin or Editor, you can share Packs in the following ways:
- Allow access to all of a Pack’s resources, making them usable from anywhere in the current Workspace.
- Export a Pack to a file, so that you can share it with other Organizations.
Allow Global Access to a Pack
To make all of a Pack’s resources visible and usable from anywhere in the current Workspace:
- Go to the Packs page in Cribl Search: On the top bar, select Products > Search > Packs.
- Select the Pack you’re interested in. Use the search box to filter the list.
- Go to Pack Settings > Pack Info.
- Check Allow global access, and confirm with Save.
Export a Pack
To download an existing Pack as a single file, for sharing with other Organizations:
- Go to the Packs page in Cribl Search: On the top bar, select Products > Search > Packs.
- In the row of the Pack you’re interested in, select the Actions
menu, then
Export.
- In the resulting Export Pack modal, the filename defaults to the Pack’s current ID, with the version number appended. You can modify this, as desired, before confirming the export.
If the Pack references any resources residing outside the Pack (for example, a global lookup file), you’ll see a
warning, saying This Pack has external dependencies.
When you export Packs in
mergemode, make sure to re-enter any required secrets after importing the Pack, to restore full functionality. This is necessary because Cribl Search deletes all encrypted fields during the export process, to ensure security and prevent the accidental sharing of sensitive information.
Pack Dependencies
When you’re creating a new Pack, or adding resources to an existing Pack, you can reference resources residing outside that Pack (“global” resources). Or, the other way around: you might want to reference a Pack resource from outside the Pack. Keep in mind the following guidelines about such dependencies.
Pack resources:
- Can reference other resources within the same Pack.
- Can reference global, non-Pack resources.
- Can’t reference other Packs.
Global resources, in turn, can reference a Pack’s resources only when the Pack is set to allow global access.
Reference a Macro
To reference a global Macro from the global context (for example, simply using a Macro in a query), use the standard Macro syntax.
${macroId}To reference a Pack Macro from the global context, make sure the Pack is set to allow global access.
Then, specify the Pack’s ID with pack(packId), like this:
${pack(packId).macroId}To reference a global Macro from within a Pack, specify the global Pack called cribl.
${pack(cribl).macroId}To reference a Pack Macro from within the same Pack, you can use the standard Macro syntax:
${macroId}A Pack can’t reference a Macro residing in another Pack.
Reference a Lookup
To reference a global lookup from the global context (for example, simply using the
lookup operator in a query), use the standard lookup syntax. For example:
dataset=myDataset
| lookup lookupId on commonFieldTo reference a Pack lookup from the global context, make sure the Pack is set to allow global access.
Then, specify the Pack’s ID with pack(packId), like this:
dataset=myDataset
| lookup pack(packId).lookupId on commonFieldTo reference a global lookup from within a Pack, specify the global Pack called cribl.
dataset=myDataset
| lookup pack(cribl).lookupId on commonFieldTo reference a Pack lookup from within the same Pack, you can use the standard lookup syntax:
dataset=myDataset
| lookup lookupId on commonFieldA Pack can’t reference a lookup residing in another Pack.
Reference a Saved Search
To reference a global saved search from the global context (for example, when basing a Dashboard visualization on an existing saved search), use the saved search’s ID:
savedSearchIdTo reference a Pack saved search from the global context, make sure the Pack is set to
allow global access. Then, specify the Pack’s ID (packId) like this:
packId.savedSearchIdTo reference a global saved search from within a Pack, specify the global Pack called cribl in the following
format.
cribl.savedSearchIdTo reference a Pack saved search from within the same Pack, you can use the standard syntax:
savedSearchIdA Pack can’t reference a saved search residing in another Pack.
Reference a Datatype
To reference a global Datatype from the global context (for example, when adding a Dataset), you normally use the Datatype’s ID:
datatypeIdTo reference a Pack Datatype from the global context, make sure the Pack is set to
allow global access. Then, specify the Pack’s ID (packId) like this:
packId.datatypeIdYou can’t reference a Datatype from within a Pack.
Packs Limitations
Here’s what you can’t do with Packs:
- You can’t configure Notifications on a saved search that resides within a Pack.
- Packs can’t reference other Packs.