Introduction to Searching
Now that we've gotten the lay of the land, it'd help to have some foundational knowledge of the Cribl Search language. Starting with the basics, all searches require a query and a time range. The Cribl Search language has several components, but for now to keep things simple we'll focus on three: scope, operators, and functions.
Scopes, and Operators, and Functions, Oh My!
The Scope defines datasets and uses the cribl operator to specify which events to search. Think of this as the pool of data that you want to start with.
Operators perform specific operations on the data that is provided to them sequentially. Those operations could generate data, filter data, transform the data, or summarize the data in some way. Subsequent operators are separated by the | (pipe) symbol.
cribl is impliedBy default, all searches start with the cribl operator implied, so you don’t need to type it.
Functions are used in conjunction with operators to process data. If Operators are instructions for what to do to the data, think of Functions as instructions for how to do it.
Data Flow
Data flows, or is piped, from one operator to the next. Events are filtered or manipulated at each operation and then fed into the following operation.
You can think of the data flow as a funnel. You start out with your selected events (the Scope). Those events are then passed to the next operator, and each time the data passes through another operator, it is filtered, manipulated, or summarized further. At the end of the funnel, you’re left with a refined output.
Because the piping of information from one operator to another is sequential, the query operator order is important and can affect both results and performance.