At Cribl, we understand precisely what challenges our customers face when running complex searches, and the importance of getting exactly what they need with their queries. Cribl Search’s latest feature, Operator Preview, allows data analysts to test search operators without committing to a full search. It saves time, reduces costs, and streamlines your everyday data analysis. Let’s explore how Operator Preview can optimize your workflow, from simple extract operations to intricate regex searches.

What is the Operator Preview Feature?

This feature is a new addition to Cribl Search that allows users to test operators without executing the search on the actual data source. It is a quick and efficient method to preview changes, enabling you to iterate and refine your operators without incurring the cost of executing them on the actual dataset until you are ready.

To use the Operator Preview, hover over an operator and click the button on the top right of the pop-up. This allows you to assess how your operator will affect your data before executing the full search.

Now, let’s test this feature with a few real-world examples.

Simple Operators

Let’s say you have a bucket with VPC Flow Logs. As a DevOps engineer working on a critical project, you need to extend the dataset with the specific field name flag, and you want this field to output either flag:yes or flag:no, depending on whether the response time of a resource is over 100ms. With the Preview feature, you can apply an extend operator to a subset of your search results without querying the entire dataset.

Here’s what our starting point looks like:

Now, let’s extend this dataset with the new field flag. To do that, type | extend after the limit 1000, hover over the operator, and click the Preview button. Once there type extend flag=iif(rt>100, ‘yes', 'no').

Here’s what it should look like:

Now, click the Preview button. The results table will switch to “Out” indicating that the displayed results represent what the operator would output. Notice the new field flag highlighted in green.

When you are satisfied with the changes, click the Apply button in the bottom right corner to incorporate your extend pipeline into the original query. Run the search and observe that the newly created field has been conveniently added to your left-side panel, as well as, in a table view:

Leveling Up with Regex

Regex extractions can be notoriously complex, and the Operator Preview feature enables a more iterative approach to building these intricate queries. Let’s say you have a dataset with syslog data in it, and you want to extract hostname, message, pip, process, and priority fields.

This time, we will use the extract operator with type regex. We will start by typing extract operator and hovering over it to click on the Preview button:

Next, we will use regex to extract the required field from the _raw field (you can also do that using Parsers, but what’s fun in that?). In the Preview modal, type: extract type=regex regex=@"\<(?<priority>\d+)\>\w+ \d+ \d+:\d+:\d+ (?<hostname>\w+) (?<process>\w+)\[(?<pid>\d+)\]:(?<message>.+)" and click the Preview button.

This visual color-coded aid makes it easier to spot any unintended consequences of your regex search, ensuring that you fine-tune your query to perfection. Let’s click apply and run the search on the dataset:

Voilà! You’ve successfully extracted five new fields and enhanced your dataset.

In Conclusion

Cribl Search’s Operator Preview feature is a significant advancement for data analysts and security operations analysts. The ability to test and refine operators before executing a full search saves time, reduces costs, and minimizes errors in your data analysis process. Whether you’re working on simple extractions or dealing with complex regex searches, Operator Preview is designed to enhance your workflow and boost your overall efficiency.

The fastest way to get started with Cribl Stream, Edge, and Search is to try the Free Cloud Sandboxes.