Cribl Operator Usage
Time to stretch our legs a bit. Let's take the cribl operator for a spin.
- On the Cribl.Cloud home page (at the right) click
Explorein the Search pane. - Enter the following query:
dataset="cribl_search_sample" dataSource="vpcflowlogs" (srcport<=1024 or dstport<=1024) | limit 1000 - Click
SEARCH.
Ok, let's break this down barney style. The first thing that we see are 2 ComparisonExpressions:
dataset="cribl_search_sample and dataSource="vpcflowlogs
This is saying to retrive vpc flow events from the cribl_search_sample dataset, easy enough right?!
When using the cribl operator its good practice to start out by identifying the dataset(s) that you want to search as a part of your scope. Keep in mind this value may contain wildcards to target multiple datasets at once.
The next portion of the query (srcport<=1024 or dstport<=1024) uses ComparisonExpressions to return port that is within the range of privileged ports.
Additionaly, in and !in (not in) can be used to filter events for a list of values.
- Clear the query box.
- Enter the following query:
dataset="cribl_search_sample" dataSource=access_* request in (PUT*, PATCH*, POST*) | limit 1000 - Click
SEARCH.
Here we are using the in filter to only return events that include the PUT, PATCH, and POST methods. This is much easier than specifying the field name each time (request=PUT* or request=PATCH* or request=PUT*). Since the request field includes more than just the http method you'll also notice that in supports wildcards allowing us to find fields that contain our desired values.
When using the cribl operator you should
- Enclose field values in double quotes "" if:
- You don’t specify cribl in the syntax. Otherwise, an unquoted term without cribl is interpreted as a dataset.
- Using special characters or spaces. For example, "goat herd".
- Use a backslash \ to escape double quotes. For example, "style="goatee"".
- String expressions are case-insensitive.