Search Data without Moving it

Make Moves Without Making Your Data Move

January 16, 2024
Written by
Perry Correll's Image

Perry Correll, Principal Technical Content Manager at Cribl, is passionate about the powe... Read Morer of observability and how, when done right, it can deliver operational insights into network performance. He has 30+ years of networking experience from early Ethernet to today's observability and held positions from SE to product management with leading organizations. Read Less

Categories: Cribl Search, Learn

How much of the data you collect is actually getting analyzed? Most organizations are focused on trying not to drown in the seas of data generated daily. A small subset gets analyzed, but the rest usually gets dumped into a bucket or blob storage.

“Oh, we’ll get back to it,” thinks every well-intentioned analyst as they watch data streams get sent away, never to be seen again. Sure, some of this happens for compliance reasons — but the truth is that it’s too expensive to put all of your data into a system of analysis, so off it goes.

The problem is some of that data is time-sensitive — it doesn’t age well for security teams looking for threats in real-time. There are also valuable nuggets of information there, whether you know them or have the tools to find them. If you were able to dig in deeper, you’d gain insights into failure points, application behavior, and more,

If data volumes make it hard to get even the basics done, how will you keep your organization safe or get any long-term analytical value from your data? The answer is having the right tools in place for the job.

Wait, What Even is Observability Data?

Typically, when people talk about observability data, they refer to the three pillars of observability: logs, traces, and metrics. But any data traversing an organization’s environment fits into this category, regardless of its label. Security, telemetry, machine, and streaming data all fall under the observability umbrella.

System state information and configuration files also cut — we’ve got customers with hundreds of thousands of edge devices, all with configurations they’d like to see without bringing them back and sticking them into a bucket first. The idea of observability data is expansive, and it’s continuing to grow — especially with the increases in data being generated by traffic in cloud environments.

Observability Solutions Aren’t One Size Fits All

Because it’s so comprehensive, no matter how many people are trying to sell you one, you can’t go out and buy an observability solution. There are too many sources, destinations, and governance requirements to address, and every organization’s needs differ.

There are also varying needs between teams within organizations. IT teams used to handle anything data-related, but there are now distinct IT Ops, DevOps, SRE, AI Ops, and SecOps teams, each with their responsibilities.

  • IT Ops teams are usually your monitoring team. They seek actionable information to trigger a bridge or response to an application/systems-related issue.
  • DevOps teams are looking to troubleshoot and triage application issues. They’re more focused on debug logging, typically after incidents are resolved.
  • SRE teams look to use data to automate things. More often than not, SRE teams are the bridge between IT ops and DevOps.
  • AI Ops teams look for consistent, well-structured data they can then use to provide insights, typically via machine learning.
  • SecOps teams look at all the data for security issues, incidents, and things to trigger alerts, then run a SOAR playbook against them.

Observability data isn’t just beneficial for your IT and security needs; it has significant value for other departments like your sales and marketing teams. Leveraging real-time data can boost marketing campaigns and offer instant insights. This immediacy of data can be a game-changer for analytics teams accustomed to end-of-period reporting because it allows for more dynamic and responsive decision-making.

Traditional Searches vs. Cribl Search

Traditional searches typically involve collecting data from various sources, routing to a centralized point for ingestion, and then duplicating and storing it before conducting searches. This process works fine, but cost and complexity issues limit your capabilities. Cribl Search complements the traditional methods by allowing you to search data in place.

With Cribl Search, you can query data from AWS, Azure, Google, or anywhere else for specific dates, times, strings, regexes, and more. A single query lets you search raw text, binary, parquet files, compressed files, JSON, and others on multiple servers, containers, or storage systems. When you find what you’re looking for, you can shape the data as needed and pull only those results back to forward to Splunk, Grafana, Elastic, or anywhere else you’d prefer.

The possibilities are endless — think about a DevOps engineer who needs to look at debug logs. Traditionally, they’d have to bother their Elastic or Splunk admin to spend time and use up license space to consume those logs. With Cribl Search, they can search debug logs on the host, shortcutting any complexity issues and removing the license cost constraints.

By using Cribl Search to query data in Cloud Object Storage, you can access data you wouldn’t normally be able to. Say you’ve kept data in your analysis system for the required time frame. It’s since moved on to cold storage, but you need to access it again. Typically, you would have to spend a lot of time restoring that data, but with Cribl Search, you can search object storage without moving anything first – any only move back exactly what you need.

Cribl Search is allowing organizations to evolve their approaches to IT and security. Instead of relying on discrete data points to inform operations, they can gather and search enough of their observability data to get a baseline normal behavior. Identifying anomalies by tracking deviations from that baseline is a more dynamic and insightful way to monitor system states and generate alerts.

Ed Bailey and I discussed all this in and more in a recent webinar. Check out the recording for a full demo and learn more about how Cribl Search can help you get the most out of your existing systems — saving money, time, and reducing complexity along the way.


Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s suite of products to collect, process, route, and analyze all IT and security data, delivering the flexibility, choice, and control required to adapt to their ever-changing needs.

We offer free training, certifications, and a free tier across our products. Our community Slack features Cribl engineers, partners, and customers who can answer your questions as you get started and continue to build and evolve. We also offer a variety of hands-on Sandboxes for those interested in how companies globally leverage our products for their data challenges.

Default Image

How to Cut Through the Chaos of Custom App Log Management

Read More
Feature Image

Cribl’s Blueprint for Secure Software Development

Read More
Feature Image

Calling All MSSP’s and MDR’s! Cribl.Cloud is Here for You!

Read More

Try Your Own Cribl Sandbox

Experience a full version of Cribl Stream and Cribl Edge in the cloud with pre-made sources and destinations.


So you're rockin' Internet Explorer!

Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari

Got one of those handy?