On This Page

Home / Search/ Optimize/Productivity Tips

Productivity Tips

Efficiently view your data and format search queries.

These tips help you make the most of Cribl Search.

Preview Search Modifications

Use the Operator Preview feature to test adding new operators to a previously run query, Preview works with a subset of your retrieved data, so you can quickly model the changes without incurring the time or cost of rerunning a search until you’re ready.

  1. Add an operator to your search (for example, | extend or | extract).

  2. Hover over the operator keyword and select the Preview button.

  3. Update your search in the resulting Preview modal, then select its own Preview button to preview the results on up to 100 rows of of your data.

  4. When you have validated your new query, select Apply. This sends the modified search back to your query box.

Quickly Format Queries

To make your search expression more readable in the query box, press the Ctrl + | (Linux, Windows) or Command + | (MacOS) key combination. This wraps the query at each pipe symbol.

Instead of this:

dataset="<my-datasource>" dataSource="VPC Flow Logs" | summarize count() by dst_port | lookup service_names on dst_port

See this:

dataset="<my-datasource>" dataSource="VPC Flow Logs"
| summarize count() by dst_port
| lookup service_names on dst_port

Simplify Queries with Reusable Macros

Cribl Search Macros enable you to store snippets of strings - and optionally, variables - that you can reuse in multiple queries.

Instead of this:

dataset="aws_ftc_audit_accesslogs"
| extend _raw=replace_regex(_raw, @'""', @'"')
| extract type=json

Insert this:

${ftc_audit_accesslogs}

Instead of this:

dataset="aws_ftc_audit_accesslogs" _raw!="\"_time\",source,host,sourcetype,\"_raw\",\"_meta\""
| extend _raw=replace_regex(_raw, @'""', @'"')
| extract type=json

Insert this:

${ftc_audit_accesslogs} ${exclude_header}

Manage Lookups

To list lookup files’ names and contents, use this simple query:

dataset="cribl_lookups"

Filter Data with .show

To see file names in a Dataset:

.show objects("cribl_search_sample")
Run in Cribl Search

To see file names that do not end with .gz

.show objects("cribl_search_sample")
| where name !endswith('.gz')
Run in Cribl Search

Automatically Reuse Search Results

When writing a query, you can allow Cribl Search to automatically reuse the results of analogous searches that were run recently in your organization. This is especially useful for configuring Dashboards, or when you run the same query multiple times, potentially producing the same results.

Cribl Search treats two searches as analogous when they share the same:

  • Search plan: both searches can be broken down into the same set of pipelines. For example, sort by x desc | limit 10 has the same search plan as top 10 by x.
  • Datasets: both searches touch (and have access to) the same Datasets.
  • set statements that can affect results.
  • Relative time range.
  • Sample rate.

When a search reuses previous results, the Details tab describes such a search as an alias job, and provides the ID of the job that produced the original results. To hide potentially sensitive information, you can’t access the logs, metrics, and diagnostics of the alias job or the original job.

To allow for automatic reuse, at the beginning of your query add a set statement with the allow_previous_results option set to a time interval.

For example, to allow Cribl Search to reuse results from the last 10 minutes, add the following statement:

set allow_previous_results="10min"

// here, add your query