Cribl puts your IT and Security data at the center of your data management strategy and provides a one-stop shop for analyzing, collecting, processing, and routing it all at any scale. Try the Cribl suite of products and start building your data engine today!
Learn more ›Evolving demands placed on IT and Security teams are driving a new architecture for how observability data is captured, curated, and queried. This new architecture provides flexibility and control while managing the costs of increasing data volumes.
Read white paper ›Cribl Stream is a vendor-agnostic observability pipeline that gives you the flexibility to collect, reduce, enrich, normalize, and route data from any source to any destination within your existing data infrastructure.
Learn more ›Cribl Edge provides an intelligent, highly scalable edge-based data collection system for logs, metrics, and application data.
Learn more ›Cribl Search turns the traditional search process on its head, allowing users to search data in place without having to collect/store first.
Learn more ›Cribl Lake is a turnkey data lake solution that takes just minutes to get up and running — no data expertise needed. Leverage open formats, unified security with rich access controls, and central access to all IT and security data.
Learn more ›The Cribl.Cloud platform gets you up and running fast without the hassle of running infrastructure.
Learn more ›Cribl.Cloud Solution Brief
The fastest and easiest way to realize the value of an observability ecosystem.
Read Solution Brief ›Cribl Copilot gets your deployments up and running in minutes, not weeks or months.
Learn more ›AppScope gives operators the visibility they need into application behavior, metrics and events with no configuration and no agent required.
Learn more ›Explore Cribl’s Solutions by Use Cases:
Explore Cribl’s Solutions by Integrations:
Explore Cribl’s Solutions by Industry:
September 25 | 10am PT / 1pm ET
Hold my beer: lessons from one team’s data pipeline journey
Register ›Try Your Own Cribl Sandbox
Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Get inspired by how our customers are innovating IT, security and observability. They inspire us daily!
Read Customer Stories ›Sally Beauty Holdings
Sally Beauty Swaps LogStash and Syslog-ng with Cribl.Cloud for a Resilient Security and Observability Pipeline
Read Case Study ›Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Transform data management with Cribl, the Data Engine for IT and Security
Learn More ›Cribl Corporate Overview
Cribl makes open observability a reality, giving you the freedom and flexibility to make choices instead of compromises.
Get the Guide ›Stay up to date on all things Cribl and observability.
Visit the Newsroom ›Cribl’s leadership team has built and launched category-defining products for some of the most innovative companies in the technology sector, and is supported by the world’s most elite investors.
Meet our Leaders ›Join the Cribl herd! The smartest, funniest, most passionate goats you’ll ever meet.
Learn More ›Whether you’re just getting started or scaling up, the Cribl for Startups program gives you the tools and resources your company needs to be successful at every stage.
Learn More ›Want to learn more about Cribl from our sales experts? Send us your contact information and we’ll be in touch.
Talk to an Expert ›At Cribl, we understand precisely what challenges our customers face when running complex searches, and the importance of getting exactly what they need with their queries. Cribl Search’s latest feature, Operator Preview, allows data analysts to test search operators without committing to a full search. It saves time, reduces costs, and streamlines your everyday data analysis. Let’s explore how Operator Preview can optimize your workflow, from simple extract operations to intricate regex searches.
This feature is a new addition to Cribl Search that allows users to test operators without executing the search on the actual data source. It is a quick and efficient method to preview changes, enabling you to iterate and refine your operators without incurring the cost of executing them on the actual dataset until you are ready.
To use the Operator Preview, hover over an operator and click the button on the top right of the pop-up. This allows you to assess how your operator will affect your data before executing the full search.
Now, let’s test this feature with a few real-world examples.
Let’s say you have a bucket with VPC Flow Logs. As a DevOps engineer working on a critical project, you need to extend the dataset with the specific field name flag
, and you want this field to output either flag:yes
or flag:no
, depending on whether the response time of a resource is over 100ms. With the Preview feature, you can apply an extend
operator to a subset of your search results without querying the entire dataset.
Here’s what our starting point looks like:
Now, let’s extend this dataset with the new field flag
. To do that, type | extend
after the limit 1000
, hover over the operator, and click the Preview button. Once there type extend flag=iif(rt>100, ‘yes', 'no')
.
Here’s what it should look like:
Now, click the Preview button. The results table will switch to “Out” indicating that the displayed results represent what the operator would output. Notice the new field flag
highlighted in green.
When you are satisfied with the changes, click the Apply button in the bottom right corner to incorporate your extend
pipeline into the original query. Run the search and observe that the newly created field has been conveniently added to your left-side panel, as well as, in a table view:
Regex extractions can be notoriously complex, and the Operator Preview feature enables a more iterative approach to building these intricate queries. Let’s say you have a dataset with syslog
data in it, and you want to extract hostname
, message
, pip
, process
, and priority
fields.
This time, we will use the extract
operator with type regex. We will start by typing extract
operator and hovering over it to click on the Preview button:
Next, we will use regex to extract the required field from the _raw
field (you can also do that using Parsers, but what’s fun in that?). In the Preview modal, type: extract type=regex regex=@"\<(?<priority>\d+)\>\w+ \d+ \d+:\d+:\d+ (?<hostname>\w+) (?<process>\w+)\[(?<pid>\d+)\]:(?<message>.+)"
and click the Preview button.
This visual color-coded aid makes it easier to spot any unintended consequences of your regex search, ensuring that you fine-tune your query to perfection. Let’s click apply and run the search on the dataset:
Voilà! You’ve successfully extracted five new fields and enhanced your dataset.
Cribl Search’s Operator Preview feature is a significant advancement for data analysts and security operations analysts. The ability to test and refine operators before executing a full search saves time, reduces costs, and minimizes errors in your data analysis process. Whether you’re working on simple extractions or dealing with complex regex searches, Operator Preview is designed to enhance your workflow and boost your overall efficiency.
The fastest way to get started with Cribl Stream, Edge, and Search is to try the Free Cloud Sandboxes.
Experience a full version of Cribl Stream and Cribl Edge in the cloud with pre-made sources and destinations.
Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari
Got one of those handy?