Scope

Greetings my jedi apprentice. Back for more, you are. Very well, we've already covered understanding ~~The Force~~ Cribl Search Overview, and connecting to ~~The Force~~ Cribl Search Data Sources, but now we must enhance your usage of ~~The Force~~ the Cribl Search language.

Once knowledgable in the ways of ~~The Force~~ the Cribl Search Language you will be able to perform amazing feats of data transformation and reporting, but first you must actually gather the data that you need. We like to call this phase of searching the scope. In the scope phase our primary objective is to generate and filter the events that we want to search.

Scope Operators

There are 3 operators that you will leverage to achieve this.

Operator	Description
`cribl`	The cribl operator finds specific events.
`find`	The find operator finds specific events.
`externaldata`	The externaldata operator fetches external data from HTTP(S) URLs, including public APIs.
`search`	The search operator finds events with specific text strings.

Work Cribler not Harder

While both the cribl, search, and find operators perform the same function, the cribl operator is recommended due to its ease of use and enhanced capabilities. For this reason we won't cover usage of the search, or find operators any further in this sandbox.

Scope Operators​

Scope Operators