Skip to main content

Query Assistance with Copilot

TL;DR

Cribl Copilot can transform natural language descriptions into powerful search queries, making it easier to find exactly what you're looking for in your data.

One of the most valuable capabilities of Cribl Copilot is helping you create search queries. Instead of remembering specific syntax or operators, you can simply describe what you're looking for in plain English.

Scenario: Finding Suspicious Activity

Let's say you want to search for potential security breaches in your logs. Without knowing the exact query syntax, you can ask Copilot for help.

Ask Copilot for Query Help
  1. Navigate to Search through the product switcher
  2. Open Copilot and type:
Help me create a query to find rejects in datasource vpcflowlogs and 401 from datasource access_common in the dataset cribl_search_sample
  1. Press Enter and observe Copilot's response. The response should be close to this or this
dataset=cribl_search_sample | where (action=='REJECT' and dataSource=='vpcflowlogs') or (status==401 and dataSource=='access_common')
  1. We have follow-up queries based on our initial query.

Copilot will analyze your request and generate a search query. The response typically includes:

  1. The complete query: Ready to be used in Search
  2. Customization options: Suggestions for how you might want to modify it
  3. Implementation button: A way to directly apply the query to Search
Execute the Query
  1. Review the query that Copilot has suggested
  2. Click the provided button to apply the query to Search
  3. Observe the results and see if they match what you were looking for

From Natural Language to Kusto

Cribl Search uses a query language similar to Kusto, which can be challenging to learn. Copilot bridges this gap by translating your natural language description into proper query syntax.

Example

For example, your request for ["In cribl search sample from the dataSource syslog i want to know all events based on priority for the field priority i want to see all events that are less than 5"] might be translated to something like:

dataset=cribl_search_sample dataSource="syslog" | where priority < 5

This conversion from natural language to formal query syntax makes the power of Cribl Search accessible to everyone on your team, regardless of their query language expertise.

Optional Exploration

Try asking Copilot to help with different types of queries:

  • "Show me all HTTP 500 or 400 errors from our web servers grouped by request_uri_path cribl_search_sample"
  • "Create a line chart showing utilization trends over the past week cribl metrics"

Now that we've explored Copilot's three main capabilities, let's look at how they work together in a real-world scenario.