On This Page

Home / Search/ Search Your Data/ Example Searches by Provider/Searching Cribl Edge

Searching Cribl Edge

Learn how to search your Cribl Edge data.

Cribl Search comes with several Cribl Edge Datasets allowing you to quickly search Cribl Edge’s internal logs and metrics that provide comprehensive information about an instance’s status/health, inputs, outputs, Pipelines, Routes, Functions, and traffic. You can edit these built-in Datasets or create new ones to specify other logs anywhere in the filesystem that Edge can read.

Don’t have a Cribl Edge Node? See the setup guide for Cribl Edge.

This document provides examples of searching Edge logs and metrics. To start, navigate to Search Home, where searches are run.

Examples

Load Average

Imagine you are conducting an investigation and you need to determine which Edge Nodes have a higher-than-usual load average.

Let’s go to the Dataset called cribl_edge_metrics and tell the search to return all the events that have the node_load term in them. And then let’s ask it to build a time series of the load average of one minute (the default span) and split it by host:

dataset="cribl_edge_metrics" node_load*
| limit 1000
| timestats load1=max(node_load1) by host
Run in Cribl Search
Load average by host
Load average by host

We haven’t collected this data in advance, we haven’t moved it or pre-processed or ETL it in any way. The search is executed in real-time, at rest, directly on the edge.

Let’s change the charting option to Area to improve visibility:

Area Chart of the load average by host
Area Chart of the load average by host

Cribl Search comes with rich charting options out of the box, allowing you to adjust Charts as needed.

System Logs

Now, let’s check the /var/log directories containing the system logs of all Edge Nodes in the Fleet. We will query the built-in cribl_edge_system_logs Dataset and tell the search to get all the files that match *auth.log and have the terms sshd and users. We also set a limit of 1,000 results to return:

dataset="cribl_edge_system_logs" source=*auth.log sshd user
| limit 1000
Run in Cribl Search
System logs search
System logs search

Cribl Search understands that these events are coming from Cribl Edge, and we can select the link and teleport directly to that Edge Node and see that file.

Open in Cribl Edge
Open in Cribl Edge

Search Just a Single Fleet

You can easily filter Cribl Edge search results to a specific Fleet, using the built-in field cribl_fleet.

For example, the following query searches the cribl_edge_system_logs Dataset for events that:

  • Match *auth.log.
  • Contain the terms sshd and users.
  • Come from a Fleet called VermontGoatFarm.
dataset="cribl_edge_system_logs" source=*auth.log sshd user cribl_fleet=VermontGoatFarm
| limit 1000
Run in Cribl Search