Inspect Your Cribl Search Datasets
Understand your data before searching, so you can pick the right Datasets, know their fields, and build on previous analyses.
Highlights
- From Search Home, select a Dataset to see its contents, statistics, history, and more.
- Use that info to pick a starting point for an investigation, reuse trusted queries, or spot ingest issues.
- Cribl-hosted Search Datasets give you richer insights into fields than federated Datasets.
See What’s in Your Datasets Before Running a Search
Reviewing your Datasets beforehand lets you:
- Decide what fields matter most for your investigation.
- Reuse searches, Dashboards, and Notebooks instead of starting from scratch.
- Catch ingest and parsing issues before they affect analysis.
If you’re unsure where to start in an environment with a lot of data:
- Prefer Datasets with higher recent search activity.
- De-prioritize low- or no-usage Datasets unless you have a specific use case.
- Look up a Dataset’s top users to find people that can share proven query patterns.
Visibility depends on your permissions, so you’ll only see Datasets you’re allowed to access.
See Live Data Flow
If you ingested data into a lakehouse engine, you can verify whether events arrive, parse, and route as expected.
- On the Cribl.Cloud top bar, select Products > Search > Data > Live Data.
- Wait for Cribl Search to capture a sample of incoming events.
You can select Capture to refresh the results and see the latest events.
- Set the following Capture Filters to refine the view:
Filter events by Source, Datatypes, or Datasets.
| Filter | Description |
|---|---|
| Source | Show only events from a specific Cribl Search Source. |
| Datatypes | Show only events of specific Datatypes. |
| Datasets | Show only events routed to specific Datasets. |
Select at which stage in the data flow you want to capture events.
| Level | Description |
|---|---|
| At Source | Capture original events as they arrive from the Source. |
| After Datatyping | Capture events after Datatyping to see how they got parsed. |
| After Dataset detection | Capture events after Datatyping and Dataset routing, reflecting what gets stored where. |
Set the scope of the capture.
| Setting | Description |
|---|---|
| Maximum events to capture | Set the sample size limit, up to 10,000 events. |
| Capture time (seconds) | How long to capture events, up to 3600 seconds. |
Filter for specific types of events, to catch ingest and parsing issues.
| Type | Description |
|---|---|
Uncategorized | Events not matching any Datatype. |
| Default AI Auto-Datatype | Events categorized by the default Auto-Datatyping process. |
| Orphaned | Events with no valid Search Dataset. This happens when a Dataset rule routes an event to a deleted or invalid Dataset. |
| Dropped | Events configured to be discarded by a Dataset rule. |
See Dataset Details and Statistics
Explore your Search Datasets and federated Datasets:
- Go to Search Home: On the Cribl.Cloud top bar, select Products > Search.
- Under Available Datasets, select a Dataset.
What you see in the details panel depends on the Dataset type.
For new Search Datasets, allow time for the statistics to populate, especially for multi-day windows.
| Section | Description |
|---|---|
| Earliest event time Latest event time | Dataset’s time range and freshness. |
| Total event count Total Dataset size | Dataset’s data volume. |
| Volume of Events and Bytes | Lets you spot spikes, drops, or gaps before you write a query. |
| Usage | Recent search activity on the Dataset. |
| Top 10 Users | Users who ran the most searches on the Dataset. |
| Fields | See Explore Fields in Search Datasets. |
| Section | Description |
|---|---|
| Usage | Recent search activity on the Dataset. |
| Top 10 Users | Users who ran the most searches on the Dataset. |
Search History
Review recent queries for proven starting points. Reuse what works, then refine.
For more information and ideas, see View History and Reuse Search Results.
Saved Searches
Open saved searches to apply team standards or keep results more consistent across users.
Dashboards
View Dashboards that reference this Dataset before you write a custom query.
Notebooks
Open related Notebooks to see or continue earlier investigations.
Explore Fields in Search Datasets
Cribl-hosted Search Datasets offer deep insight into their data structure, so you can pick fields that work well in filters, group-by clauses, or aggregations.
- Go to Search Home: On the Cribl.Cloud top bar, select Products > Search.
- Under Available Datasets, select a Search Dataset you want to inspect.
Search Datasets are marked with the lakehouse icon
. - In the resulting details panel, look at the Fields section.
If the Fields section is empty, select Retry to load the metadata.
If there’s no Fields section at all, you’re looking at a federated Dataset. Select a Search Dataset instead.
Each field has the following metrics, filtered for the selected time window:
| Field Metric | Description |
|---|---|
| Field | Field name you use in queries. |
| Type | Data type, such as string, numeric, boolean, object, or array. |
| Uniques | How many distinct values the field has in the selected time window. |
| Presence | What percentage of all events contain this field in the selected time window. |
| Null or empty | How often values are null or empty in the selected time window. |
Use those metrics to find:
- High-presence fields for filters and joins.
- Low-cardinality fields for group-by clauses.
- Weak fields with many null or empty values.
Select a field to drill down into details. For example, you can add the field to a query, or aggregate on it.