Skip to main content

🎶Can't Stop, Addicted to the Search-ing🎶

TL;DR

We've added macros and export. The former allows reuse of query text across queries. The latter enables pushing query results straight to Cribl Lake.

Macros​

Has this ever happened to you? You're working on a query in Cribl Search, and you realize you need to use the same query in another search. You could copy and paste the query, but that's a pain. You could save the query as a search, but that's overkill. What if you could just save the query text and reuse it whenever you want? Well, now you can!

Bigger Picture
  1. Click Stream in the top left of the UI and in the resulting dropdown click Search
  2. In the top nav click Settings
  3. On the left side of the screen, click Macros
  4. Click Add Macro at the top right
  5. Fill out the information as follows:
    • ID: export_logs
    • Description: Export logs to Cribl Lake
    • Definition:
    | export to lake default_logs
  6. Click Save

I guess we should talk about export now, huh?

export​

If you go through the Cribl Lake Overview Sandbox (shameless plug), we'll guide you through configuring Stream to recieve data from Search and then push it in to Lake. We'll also tell you why you would want to do that (hint: re-use the Route to send to multiple Destinations). However, we'll also guide you through the process of exporting data from Search to Lake. There is a subtle difference between the two: send can push to external destinations through use of Stream while export pushes directly to Lake (no Streams attached).

Here we're just gonna show you how to export, so if you want the more nuanced approach, check out the Cribl Lake Overview Sandbox (shameless plug x2).

A Datum in the Lake is worth Two in the Stream
  1. Click Home from the top nav
  2. Under Available Dataset, hover over cribl_search_sample and click Search Now
  3. At the end of the query, add ${export_logs}
    Your query should look like this: 
     dataset="cribl_search_sample" | limit 1000 ${export_logs}
  4. Click the blue Search at the top right of the query box
  5. Once the search completes, change your query to the following: 
    dataset="default_logs" | limit 1000
  6. Click Search

OK, let's take a second to unwind and discuss what just happened.

First, you created a macro. Said macro was a snippet of a query that just so happens to use export. More specifically, it exports all query results to the default_logs dataset in Cribl Lake (which you didn't have to do anything to configure, by the way). Then you used that macro in a search of the cribl_search_sample dataset, thus exporting the logs. Finally, you queried the default_logs dataset to see the logs you just exported (again without needing to configure Lake as a datasource). Wowzers. That was a lot.

By the way, we also have a great Cribl Search Overview Sandbox! And if you've done that, we have yet another Search Sandbox that covers connecting Search to various supported data sources (like Amazon S3 and generic APIs).