On This Page

Home / Search/ Search Your Data/Use Search Results

Use Search Results

See how to export, reuse, and manage search results.

When you obtain each search’s results, you have several options to export the results from Cribl Search, and to reuse them within the product. You can also control how long Cribl Search retains your results.

Export Search Results

Use the export operator to export search results to either a lookup table or to a Cribl Lake Dataset.

dataset="cribl_search_sample"
 | export to lake my_lake_dataset

Reuse Search Results

You can reuse the results of previous searches. This might let you avoid running the same search multiple times, saving you time and resources. Your options include:

You can access previous search results for as long as they’re kept in the system. For retention details, see:

View the Cached Results of a Previous Search

You can quickly display the cached results of any search kept in History. This doesn’t consume any credits.

  1. In Cribl Search, select History.
  2. Select the row of the search you’re interested in.

This displays the cached results of the search.

You can also select View Results in the Details of each search.

Search the Result Set of a Previous Search

You can quickly query the results of a previous search. This doesn’t rerun the original query itself, but runs an actual search on the result set, so can lead to minor credit consumption.

  1. In Cribl Search, select History.
  2. In the row of the search you’re interested in, select the Actions button at the far right.
  3. Select Search the Results.

In a new window, Cribl Search runs a search on the result set, using the $vt_results virtual table. You can now modify the query for further analysis.

You can also select Search the Results in the Details of each search. Read more about virtual tables here.

Reuse the Results of a Previous Search in a New Query

When writing a query, you can reference the result set of a previous search, using the $vt_results virtual table. This lets you treat the results as a regular Dataset.

While doing this doesn’t rerun the original query itself, it runs an actual search on the result set, so can lead to minor credit consumption.

Get the ID of the search you’re interested in (you’ll find it in the Details tab), and use the jobId predicate:

dataset="$vt_results" jobId="1704236905683.wgocax"

You can also load the results of multiple searches at once, for example:

dataset="$vt_results"
 | where jobId > "1704236905600" and jobId < "1704236906000"

To reuse the results of a saved or scheduled search, add the search name by using the jobName predicate. This will load the results of the latest execution of the saved search. For example:

dataset="$vt_results" jobName="mySavedSearch"

// or, for example
dataset="$vt_results"
 | where jobName startswith "my"

To load a specific execution of a saved search, use the execution parameter, for example:

// load the last run of mySavedSearch (default)
dataset="$vt_results" jobName="mySavedSearch" execution = 0

// load the run before last
dataset="$vt_results" jobName="mySavedSearch" execution = -1

For more information and examples, see the $vt_results page.

Rerun a Search

You can easily run a new search that uses exactly the same query text and settings as a previous search.

  1. In Cribl Search, select History.
  2. In the row of the search you’re interested in, select the Actions button at the far right.
  3. Select Rerun.

You can also select Rerun in the Details of each search.

In certain cases, rerunning the search may not be necessary, and you’ll find it faster and cheaper to query the result set or simply view the cached results.

Automatically Reuse Search Results

When writing a query, you can allow Cribl Search to automatically reuse the results of analogous searches that were run recently in your organization. This is especially useful for configuring Dashboards, or when you run the same query multiple times, potentially producing the same results.

Cribl Search treats two searches as analogous when they share the same:

  • Search plan: both searches can be broken down into the same set of pipelines. For example, sort by x desc | limit 10 has the same search plan as top 10 by x.
  • Datasets: both searches touch (and have access to) the same Datasets.
  • set statements that can affect results.
  • Relative time range.
  • Sample rate.

When a search reuses previous results, the Details tab describes such a search as an alias job, and provides the ID of the job that produced the original results. To hide potentially sensitive information, you can’t access the logs, metrics, and diagnostics of the alias job or the original job.

To allow for automatic reuse, at the beginning of your query add a set statement with the allow_previous_results option set to a time interval.

For example, to allow Cribl Search to reuse results from the last 10 minutes, add the following statement:

set allow_previous_results="10min";

// here, add your query

Manage Search Results

Search results are stored temporarily on your Organization’s Leader. We use an industry-standard AES-256 algorithm to encrypt your data at rest.

You can control how long Cribl retains your search results at Settings > Search > Limits > Search history TTL. For details, see Limits.