/ / / /

Searching Amazon S3

Learn how to search your Amazon S3 data.

Cribl Search supports searching Amazon S3 buckets. You need a Dataset Provider and a Dataset, see the setup guide for Amazon S3 and Data Lake Amazon S3 for details.

This document provides examples of searching objects from Amazon S3. To start, navigate to Search Home, where searches are run.

Examples

The following examples reference a built-in Dataset with the ID cribl_search_sample.

Basic Search

This search specifies the Dataset and limits the number of results.

dataset="cribl_search_sample" source=*vpc*
| limit 100

Run in Cribl Search

Basic search

Basic search

Built-in Parser

Cribl Search comes with parsing libraries so you don’t have to write them manually. Use the extract operator to reference the built-in Parser for VPC Flow Logs.

dataset="cribl_search_sample" source=*vpc*
| limit 100
| extract parser='AWS VPC Flow Logs'

Run in Cribl Search

Note the additional fields shown in the field browser.

Parser search

Parser search

If you want to see the built-in parser’s effects, first run the extract command below. Then add the extract command:

dataset="$vt_dummy"
 | extend _raw = "2 602320997947 eni-5nxjlyb0xm0o96kgs 52.216.176.35 10.0.0.138 1311 3389 6 7 7784 1730263536 1730263542 ACCEPT OK"

// Run the above portion first to see the logs unparsed. Add the extract operator below to show the built-in parser in action.
 | extract parser='AWS VPC Flow Logs'

Run in Cribl Search

Aggregate

To aggregate, we’ll use the summarize operator with the count function grouping by IP address pairs.

dataset="cribl_search_sample" source=*vpc*
| limit 1000
| extract parser='AWS VPC Flow Logs'
| summarize flowcount=count() by srcaddr, dstaddr
| sort by flowcount desc

Run in Cribl Search

Aggregating search

Aggregating search

Aggregate over time

To aggregate over time, we’ll use the timestats operator.

dataset="cribl_search_sample" source=*vpc*
| limit 1000
| extract parser='AWS VPC Flow Logs'
| timestats span=1h bytessum=sum(bytes)
| extend mb=bytessum/1024/1024
| project-away bytessum

Run in Cribl Search

Aggregating over time search

Aggregating over time search

Cribl Search comes with rich charting options out of the box, allowing you to adjust Charts as needed. The above example is an Area Chart with a Y-axis minimum of 6,000.

Previous

Previous

Next

Next

Need more help?

Support Ask Cribl Curious Forum Slack Call Us: +1 415-992-6301

4.10

Cribl Suite v4.10

Version 4.10 adds new capabilities and usability improvements to the Cribl product suite and Cribl.Cloud, including:

Notifications on Sources can now trigger on a persistent queue usage condition to alert you when disk usage for a queue exceeds a specified threshold.
Preview feature: The Kubernetes Explorer in Cribl Edge provides a visual interface to explore your Kubernetes clusters and help with configuring log ingestion and breakers.
The Metrics Inspector view in Data Preview introduces a new metrics-first view that enables you to analyze and optimize metrics-heavy data structures with detailed summaries and drill-down insights.
Support for Windows 10 and Windows 11 on laptops or desktops with power management enabled is no longer a preview feature and is now generally available.
The S3 Collector now supports collecting data from Splunk Dynamic Data Self Storage (DDSS) datasets. A new Partitioning scheme dropdown in the S3 Collector settings provides the DDSS option.
A new Zscaler Cloud NSS Source allows you to receive log data from Zscaler Nanolog Streaming Service (NSS) to optimize data for long-term retention, threat analysis, and SIEM integration.
The NetFlow Source has been renamed to NetFlow & IPFIX, and now includes added support for IPFIX (also known as NetFlow v10) and support for template records and options templates.
This release significantly reduces the Cribl Edge installation package size. The cribl/ directory on disk is now under 200 MB, down from over 400 MB, streamlining installations and improving the overall user experience.

Full changelog below.

4.9.3

Cribl Suite v4.9.3

Version 4.9.3 adds new capabilities and usability improvements to the Cribl product suite and Cribl.Cloud, including:

Cribl.Cloud users can now export their monthly invoices directly from the UI. Data can be exported as either CSV or JSON, so you can explore trends on monthly usage, or see how usage is changing by product.
Google Cloud Logging Destination reports accurate Bytes Out metrics within Monitoring views.

Full changelog below.

4.9.2

Cribl Suite 4.9.2

This release corrects a critical issue in Cribl Stream and Cribl Edge 4.9.1, which generated multiple "Dropping malformed HEC event" errors in logs, even with valid incoming HEC payloads. Changelog link below.

4.9.1

Cribl Suite v4.9.1

Version 4.9.1 adds new capabilities and usability improvements to the Cribl product suite and Cribl.Cloud:

Encoding for S3 Sources: The CrowdStrike FDR, Amazon S3, and Amazon Security Lake Sources in Cribl Stream now provide a setting that lets you select the encoding to use when parsing ingested data.
SNMP Function: The new SNMP Trap Serialize Function in Cribl Stream and Cribl Edge converts events into SNMP traps for forwarding to SNMP Trap Destinations.
CriblLogs option: The Cribl Internal Source in Cribl Stream and Cribl Edge now offers the CriblLogs option on Cribl-managed Cribl.Cloud Worker Groups, available for logs relating to Sources and Destinations.
Client Secret authentication for Azure Blob Storage: When using an Azure Blob Storage Dataset Provider in Cribl Search, you can now use the Client Secret authentication method, in addition to the existing authentication methods.
Download invoices: You can now download your monthly Cribl.Cloud invoices for use in external tools, for purposes such as budget planning, analytics, or storage.

4.9

Cribl Suite v4.9

Version 4.9 adds new capabilities and usability improvements to the Cribl product suite and Cribl.Cloud:
New in Cribl Stream:

Persistent Queues: New destination PQ modes, Always on and Backpressure.
REST Collector: Now supports paginated results in Discover.
Global Navigation: Enhanced global navigation experience.

New in Cribl Edge:

Enhanced Filtering: Filter and search nodes based on multiple criteria in Node & Map views.
Windows Laptop Support (Preview): Introduces support for Windows Laptops running Windows 10/11.

New in Cribl Search:

Search Packs (Preview): Introduces a new Packs framework with the ability to create, manage, and install Search-specific Packs directly from the Dispensary. This Preview release is limited to sharing Dashboards only.
Configurable Storage Classes for Object Stores: Gain control over which cloud storage classes are searchable, reducing unexpected access costs and preventing read failures on incompatible storage classes.
Dashboard Scheduling: Schedule searches in advance to power dashboard panels with faster and more efficient data visualization.

New in Cribl.Cloud:

API Token Clients/Secrets: Available at Org/Workspace/Product levels.
Pack Dispensary: Added product filters and permalinks.
Cross-region Support: Enabled for Cloud Workers in AWS.