Cribl Search 4.2

Cribl Search Adds 500% More Searchable Datasets

July 25, 2023
Written by
Perry Correll's Image

Perry Correll, Principal Technical Content Manager at Cribl, is passionate about the powe... Read Morer of observability and how, when done right, it can deliver operational insights into network performance. He has 30+ years of networking experience from early Ethernet to today's observability and held positions from SE to product management with leading organizations. Read Less

Categories: Announcements

It’s been about 8 months since we first launched Cribl Search. For our early adopters, it’s been a game changer, and with each monthly release, we continue to innovate — expanding access to new datasets and adding new functionalities.

If Crib Search is new to you, here is a quick recap. Cribl Search flips the observability data search paradigm on its head. You no longer have to collect, ingest, and index your data before you can search it. Cribl delivers Search-in-Place, where administrators just point Cribl Search at the data using a single, simple query and search engines are dispatched to all the data stores, to find data-at-rest.

So…What’s New with Cribl Search?

Our Summer ‘23 release continues this path of innovation, we’ve increased the number of searchable datasets by over 500%, supplemented the UI with user-defined dashboards, and rolled out authentication and automation services providing not only more control but simplification of the overall search process. Essentially, we’re resetting expectations for what future search tools should deliver.

Query Target Expansion

The Observability landscape, like the universe, is constantly expanding and your ability to search this data needs to keep up. A few short months back we were limited to only a few searchable datasets; this has grown by more than 500% in the intervening months.

Cribl’s goal is to enable administrators to ‘search everything’ in order to unlock the value of all observability data and this summer release is a big step in that direction. Now, in addition to the ability to search Amazon S3 and Cribl Edge target, we have added default dataset providers of Amazon Security Lake, Azure Blob Storage, and Google Cloud Storage (and even simplified interactions between Cribl Search and Cribl Stream). Additionally, administrators now have the ability to Search API endpoints, with default configurations for Okta, Zoom, Google Workspace, Microsoft Graph, Amazon API Gateway, and Google Cloud. To round it out, Search can now auto-detect a bunch more datatypes, 10+ more! Just point Cribl Search to a set of data and automagically discover the types of data, apply parsing, and obfuscation, and even generate new fields on the fly as required.


The standard Search UI is a user-friendly interface providing a high level of functionality, however sometimes additional flexibility is required, that’s the purpose of the Dashboard feature

Dashboards are designed to provide a comprehensive and customizable experience for Cribl Search users, allowing them to create, manage and customize user-defined dashboards with ease. A variety of widget types and visualizations are available so you can tailor your dashboards to best fit specific requirements. Cribl always stresses the ability to choose what works best for you, not settling for ‘one size fits all’. So while one user might prefer to create their dashboard to monitor server performance using time series and event timeline widgets, another user may prefer to view/analyze another set of results with pie charts and top 10 lists. Dashboards are driven by Saved Searches – and you have the option for those Searches to be Scheduled (see below), which will automatically update dashboards as each Search re-executes on its own schedule. So the Dashboard can be left unattended (as on a NOC/SOC wall) and it will always be up-to-date.

Scheduling & Notifications

While user-interactive searching (ad-hoc) is the most intuitive way of using Search, the lion’s share of the workload is actually via automated searches. Scheduled searches not only are a time saver, but more importantly, they can power dashboards, notifications, and data summarization to drive analytics and can even send data to Stream and other destinations on a scheduled basis. Cribl Search now offers both options, scheduled and ad-hoc as each has unique purposes and capabilities.

Additionally, we’ve added the ability to create external Notifications that can be triggered as the result of a Scheduled Search meeting a user-configurable condition. Administrators can set any Search to execute on a scheduled basis, and now automatically generate a notification if a defined condition is met. Currently, Search supports the same Notification Targets as provided by Cribl Stream: PagerDuty® notifications and customizable webhooks for integration into any arbitrary notification or automation product. (Additional Notification Targets will be forthcoming in future releases.)

There’s More:


If you’re an administrator, you’re responsible for the data gathered and need the ability to control who has access to that data. Cribl’s new authorization support gives you two levels of control:

  1. The ability to determine which products are in the Cribl.Cloud suite a user has access to, including Stream, Edge, and Search. This allows the product owner to delegate access control to both administrators and specific users of each individual product.
  2. The ability to define which Search users have access to those specific datasets required for their roles. Access privileges include no access, read-only (Search) access, or read/write access (configuration access). This release allows administrators to limit who may access/query which datasets, as well as which users can modify each dataset.

Future Search releases will allow more fine-grained access control over Search objects and events within Datasets.


Stream administrators commonly use the lookup function to enrich events with external information, now they want this same capability in Search. Look(up) no further!. Now, Search users can use lookups to enrich their data results, providing additional value to query results. Lookups are provided by either uploading CSV files or by creating them via Search results using the new export Operator. Once lookups are created, they may be used in any Search by specifying a lookup field in the Search to match a column in the CSV. When that field matches, the Search results for that event are enriched with the other fields in the CSV file for that particular row.

Inbound API Access

As discussed above, Cribl Search allows administrators to query datasets based on API endpoints, but the advantage of APIs is not a one-way street. Most administrators just want more data, not another system for their teams to have to learn and manage. With inbound API access, Search services are now available via API, allowing administrators to integrate Search directly into their applications and services to automate search operations within existing workflows and applications.

Innovation Never Stops

Cribl Search is revolutionizing data analysis by enabling insights without the need for data transport or ingestion. As a newly developed product, there are many exciting directions we plan to explore. Innovation is an iterative process, and we will continually seek input and feedback from our customers and the market to quickly iterate our solution and stay focused on delivering value to customers. More capabilities are already scheduled for later this year, and if you are wondering what comes next, just check out our Cribl Community.

And remember, all of our products are complementary to customers’ existing tools and investments. We don’t seek to rip and replace. Rather, we seek to provide value to our customers, no matter what tools and solutions they have in place today.

The latest release of Search launched on July 17th, becoming instantly available to anyone with a Cribl.Cloud account, both licensed and free tier users! For more information about Cribl Search and all the other new features from Cribl, check out our Search product page.

More about Cribl’s Summer Launch



Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s suite of products to collect, process, route, and analyze all IT and security data, delivering the flexibility, choice, and control required to adapt to their ever-changing needs.

We offer free training, certifications, and a generous free usage plan across our products. Our community Slack features Cribl engineers, partners, and customers who can answer your questions as you get started. We also offer a hands-on Sandbox for those interested in how companies globally leverage our products for their data challenges.

Feature Image

Cribl’s Blueprint for Secure Software Development

Read More
Feature Image

Calling All MSSP’s and MDR’s! Cribl.Cloud is Here for You!

Read More
Feature Image

Optimizing Data Access: Best Practices for Partitioning in Cribl

Read More

Try Your Own Cribl Sandbox

Experience a full version of Cribl Stream and Cribl Edge in the cloud with pre-made sources and destinations.


So you're rockin' Internet Explorer!

Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari

Got one of those handy?