On This Page

Home / Search/ Connect to External Data/ Configure/Datatypes in Cribl Search

Datatypes in Cribl Search

Define how Cribl Search interprets raw data, so you can extract meaningful fields and search faster.

What’s a Datatype?

A set of rules that defines how Cribl Search processes incoming data into structured events.

Datatypes allow Cribl Search to:

  • Recognize the type of the incoming data (for example, “AWS S3 server access logs”), and detect how it’s formatted (for example, JSON Array).
  • Break events: Split raw input into discrete events.
  • Parse fields: Turn event text into fields you can query.
  • Extract time: Pull event timestamps to add the _time field to each event.
  • Enrich data: Compute additional fields for schema mapping or other enrichment.

Datatypes add the relevant datatype field to each event (for example, datatype: "aws_s3_server_access_logs").

Example: AWS VPC Flow Log

Here’s how the aws_vpcflow v1 Datatype processes an AWS VPC Flow Log event:

InOut

v1 and v2 Datatypes

Cribl Search features two Datatype models: older v1 Datatypes are gradually being replaced with the more efficient v2 Datatypes.

Learn more about each type:

As of Cribl Search 4.17.0, the two Datatype models compare as follows:

Aspectv1 Datatypesv2 Datatypes
Work with
Federated providers onlyAll Cribl Search Sources (high-speed lakehouse engines)

Federated providers: Amazon S3 or Azure Blob,
with JSON Newline Delimited and Delimited Text formats
(see Federated Search v2 for details).
Data formats supportedCSV
Extended Log File Format
Common Log Format
Key=Value Pairs
JSON Object
Delimited values
Regular Expression
Grok		JSON Newline Delimited
Delimited Text
JSON Array
Key-Value Pair
Parquet
Raw Text
XML
Stock Datatypes availableList of Stock v1 DatatypesList of Stock v2 Datatypes
Auto-DatatypingNoYes
CustomizableYesYes

Stock and Custom Datatypes

Cribl Search ships with a wide range of stock Datatypes:

You can also: