“Half the time the toilet’s out of reach – the other half it’s out of order”.
–Arthur C. Clarke, Report on Planet Three and Other Speculations
Sounds familiar, doesn’t it? Arthur C. Clarke humorously hits the nail on the head about life’s balancing acts. The balance between user freedom and resource utilization is key. In the world of data management, we often face a similar conundrum: making sure resources are available and in good working order when we need them the most. This is where Cribl Search steps in with its neat new feature, Usage Groups. It’s like having a smart thermostat for your data management system – it ensures you’re using your resources effectively without burning through your Cloud credits. Let’s dive in and see how Usage Groups can make your life easier and your data management smarter.
Usage Groups in Cribl Search allow administrators to set specific limits on search usage for different users or usage groups. This functionality is crucial for managing resource consumption and ensuring users don’t exhaust the allocated credits, thus maintaining optimal system performance. With Usage Groups, admins can ensure that each user operates within a specified resource boundary, fostering a more balanced and efficient use of the Cribl Search credits.
Out of the box, Cribl Search offers two primary groups:
System: This group sets system-level limits applicable to all searches.
Default: This is for all ad hoc searches not covered by other groups.
In addition to that, let’s see how we can create custom usage groups to serve our unique requirements better.
Creating a new Usage Group is straightforward. Navigate to Settings > Search Settings > Usage Groups and click Add Usage Group. Here, you can name your group, define its limits, and enable it. Assigning users to these groups is just as easy, ensuring everyone has the right level of access and resource allocation.
Let’s say you have different teams within your organization, each with unique search requirements. You aim to ensure efficient use of Cribl Search without compromising the team’s ability to extract valuable insights. We can create different usage groups for different teams, but before we do that, let’s see what settings are available for us and what they do:
What It Does: Sets how far back in time a user can search. For example, settings like 30d or 1y allow searches up to 30 days or one year back, respectively. You can also specify time in seconds by entering a numeric value without a time unit.
What It Does: Determines the maximum number of ad hoc searches a single user can perform simultaneously. This helps manage the system load, by preventing an individual user from running too many simultaneous searches.
What It Does: Caps the total number of concurrent searches that can be conducted across the entire organization. This is crucial for ensuring that the system remains stable and responsive by avoiding an overload of simultaneous search queries.
What It Does: Specifies the maximum number of executors that can be dispatched for a single search. This limit is important for controlling the computational resources allocated to each search, ensuring efficient use of system resources.
What It Does: Sets the maximum duration, in seconds, that a search is allowed to run. This limit prevents searches from running indefinitely, which can tie up resources and affect system performance.
What It Does: Defines the maximum time range for a search query. For instance, a limit of 3 days (3d) means a search can’t span more than a 3-day period. This helps in focusing the searches and managing the amount of data being processed.
What It Does: Determines the maximum number of scheduled searches a user can have running at the same time. This is vital for balancing the system’s load, especially for searches set to run automatically at specific times.
What It Does: Controls the maximum number of events (data points) that can be returned in a search result. This is important for ensuring that search results are manageable and pertinent.
What It Does: Puts a cap on the maximum number of bytes that can be read in a single search. This limit is important for managing data throughput and maintaining efficient use of storage and network resources.
Now that we’re familiar with the available settings in Cribl Search’s Usage Groups, let’s visualize how these settings can be applied to distinct personas or teams:
Challenge: Incident Response Teams often operate in a tiered structure. The lower-tier team members (the Initial Responders) handle initial assessments, while higher-tier members (Hunters) engage in deep and comprehensive investigations.
Challenge: Responsible for maintaining various analytics tools, the Sys Admin requires a broad but controlled access to data, focusing more on system health and less on specific data queries.
In essence, Cribl Search’s Usage Groups feature empowers teams with needed tools while maintaining efficient resource management. It ensures that each team has the search capabilities they need to succeed, all under a well-managed, resource-conscious framework.
Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s suite of products to collect, process, route, and analyze all IT and security data, delivering the flexibility, choice, and control required to adapt to their ever-changing needs.
We offer free training, certifications, and a free tier across our products. Our community Slack features Cribl engineers, partners, and customers who can answer your questions as you get started and continue to build and evolve. We also offer a variety of hands-on Sandboxes for those interested in how companies globally leverage our products for their data challenges.