Skip to main content

Simple Searching

And with that, we now have enough knowledge to really start getting to the nitty gritty. Let's start by revisiting our last search. If you still have it up, great; if not:

Start Search-ing
  1. Ensure that search-home-icon Search Home is selected in the left navigation bar.
  2. Under Available Datasets hover over cribl_search_sample and click Search Now.

What Are We Doing?

Let's go over what this search is doing. Remember, by default our query box has the cribl operator implied. Even though we haven't typed it into the search, that is the first operator we're using. Since many of you may not know what the operator does (and since it may help to just know that), we'll consult the Cribl docs within Search to find out.

May the docs be with you

  1. Click the help icon help-icon to the left of the query box.

  2. In the pane on the right, click Search Operators > cribl.

    NOTE: Alternatively, you can simply type cribl in the provided search bar.

Upon consulting our handy dandy notebook we can see that the cribl operator finds specific events. Perfect, since that's exactly what we're here to do. So within the cribl operator we have provided the expression:

dataset="cribl_search_sample"

This tells Search to return all events for the S3 bucket we have assigned to that dataset.

Next, we pipe those results into the limit operator to return no more than 1000 events.

| limit 1000

Therefore, our full search looks like:

dataset="cribl_search_sample" | limit 1000

We can then pipe those results into another operator to further filter, transform, or aggregate the data. But before we do that it'd be wise for us to filter down the scope as much as possible early on. We'll do this using the field browser to the left of the results.

Field Browser

  1. Click dataSource.

  2. Click vpcflowlogs.

  3. Click Add field in search.

    Order Matters

    Notice that our additional filter expression (below) wasn't added to the end of the query. Instead it was added at the end of the cribl operator. Cribl Search knows that we want to filter and that placing our expression after | limit 1000 wouldn't accomplish that since the limit operator doesn't retrieve and search events.

    dataSource="vpcflowlogs"

  4. Click Search.

Boolean Logic

Great, with a couple of quick clicks we've managed to search an S3 bucket directly and narrow the results down to only VPC Flow Logs. An important thing worth mentioning is that the cribl operator leverages boolean logic. Boolean Operators are not, or, and (in that order of precedence). These Operators are used between comparison expressions and / or string expressions. If no Boolean Operator is provided, then and is implied. Combining either expression type along with parentheses and wildcards gives you the ability to filter the data any way you see fit.

Comparison Expressions

Comparison expressions compare numbers or strings and perform evaluations. Expressions that evaluate to true are returned as results. Comparison expressions follow the syntax of: field name(case sensitive) + comparison operator + value. Our dataSource filter is an example of a comparison expression:

dataSource="vpcflowlogs"

Comparison operators: =, ==, !=, !==, >, >=, <, <=

OperatorDescriptionExamples Returning True
Equal = or ==Returns true if the operands are equal.3 == var1
"3" == var1
3 == '3'
Not equal !=Returns true if the operands are not equal.var1 != 4
var2 != "3"
Strict not equal !==Returns true if the operands are of the same type but not equal, or are of different type.var1 !== "3"
3 !== '3'
Greater than >Returns true if the left operand is greater than the right operand.var2 > var1
"12" > 2
Greater than or equal >=Returns true if the left operand is greater than or equal to the right operand.var2 >= var1
var1 >= 3
Less than <Returns true if the left operand is less than the right operand.var1 < var2
"2" < 12
Less than or equal <=Returns true if the left operand is less than or equal to the right operand.var1 <= var2
var2 <= 5

String Expressions

String expressions are simply a string of characters enclosed in " (double quotes). Use a backslash \ to escape double quotes. Example: "style=\"goatee\"". String expressions can be searched alone, without a field name. Let's update our search to try this out.

String Expressions
  1. Add "accept" just before the limit operator in the search query. The full search should now be:
dataset="cribl_search_sample" dataSource="vpcflowlogs" "accept" | limit 1000
  1. Click Search.

Notice that when performing an unstructured search (a search with a simple string expression or wildcards) the value is highlighted in the results for quick identification. Neat!

Wildcards (*) are supported in both comparison expressions and string expressions and are great for quickly filtering for similar values or when you are unsure of the full value.

Let's try it out!

Add a Wildcard

  1. In the field browser click interface_id.

    NOTE: There are four interfaces. Let's exclude eni-0bf22c72ebe087ac9 and eni-0b2fc5457066bc156, but instead of typing the whole values we'll use wildcards to remove them both at once.

  2. Add not "eni-0b*" to your search just before the limit operator. Our full query should now be:

    dataset="cribl_search_sample" dataSource="vpcflowlogs" "accept" not "eni-0b*" | limit 1000

  3. Click Search.

Poof! Just like that, they're both gone!

Performance Tip

For optimal performance, it's best to use comparison expressions when possible. And remember to filter early and often.

What's Next?

Let's get aggregating!