Skip to main content

Cribl Search Language

Welcome to our Cribl Search self-guided tutorial! This course, Cribl Search Operators, is an interactive introduction to the KQL-based Cribl Search language. In this course, we explore Cribl's Search product in your Cribl.Cloud organization.

By the end of this course you should be familiar with:

  • Creating basic search queries.
  • Aggregating and transforming data returned by queries.
  • Joining data sets.
  • Performing conditional evaluations on data.
  • Utilizing virtual tables and lookups.
  • Querying external system APIs.

If you haven't already done so, it is highly recommended that you complete the Cribl Search Overview sandbox first to gain a basic understanding of how Cribl Search works.

This course should take about 15 minutes to complete. At the end of the course, you can optionally continue on with some of our How-To's, or check out any of the other courses at https://sandbox.cribl.io.

You can come back to this tutorial at any time and continue your progress by starting this course at https://sandbox.cribl.io. Then you'll be asked to authenticate with your Cribl.Cloud credentials. (Note: for Cribl.Cloud users with multiple Organizations, you'll need to select the Organization where you'd like to complete the Sandbox Tutorial.)

Conventions

In this tutorial, the following formatting indicates (respectively) actions we expect you to take; content you can optionally skip; and commands or content you need to paste into the terminal or Stream.

important

Important text shows actions you need to take. For each of these sections, further sections will depend on your having taken these actions in Search.

Optional

Notes contain optional steps. You can skip these without breaking the infrastructure we're building.

Permissions Check

Permissions checks highlight actions that require elevated permissions. If you are in a managed organization, your permissions may not allow you to take the following steps.

Preformatted text contains commands to be pasted
into the terminal, or content to be pasted into
Search. There is an easy Copy option available
at these sections' upper-right corner.
The Bigger, The Better

This course may have images with details that are difficult to see at their current size. Right-click these images and select Open Image in New Tab to view them at full size. You can also enlarge this sidebar by dragging the right border further to the right to enlarge images.

Getting Help

If you get stuck during this tutorial, feel free to reach out to us on the Cribl Community Slack channel.