On This Page

Home / Search/Language Reference

Language Reference

A comprehensive reference for the Cribl Search implementation of KQL.

Cribl Search is based on Kusto Query Language (KQL), which lets you delve into your data to discover patterns, identify anomalies and outliers, and create statistical models.

While the Cribl implementation of KQL mostly follows the original, there are certain KQL differences (for example, we provide the implicit cribl operator). To get the details right, follow the language usage guidelines presented in these sections:

You can also browse and link to all KQL operators and functions in our Index of Operators and Functions.

Operators

An operator in Cribl Search is a query component that processes data, performing actions such as filtering, counting, or transforming events. Operators can use functions, and are delimited by the pipe character |.

For example, the limit operator sets the maximum number of events returned from a search:

dataset="cribl_search_sample"
 | limit 100
Run in Cribl Search

To learn more, see: Operators.

Commands

A command in Cribl Search is an instruction used to manage searches directly from the query box.

Commands are designed primarily for Admins and Editors, who use them to manage search jobs or learn more about the Organization’s Datasets.

Commands start with a period (.), and can be combined with literals and operators. For example, the .show command can list searches:

.show running queries
Run in Cribl Search

Statements

A statement in Cribl Search is a special keyword that sets advanced search options (set) or assigns names to expressions (let) (enabling you to join Datasets).

For example, this statement sets the maximum number of events returned by the current search:

set max_results_per_search=1000;
Run in Cribl Search

To learn more, see: Statements.

Functions

A function in Cribl Search is a unit of logic that processes data based on arguments passed to it.

Functions can be used with operators to perform calculations, transformations, or conversions.

For example, the max function returns the maximum value of a field:

dataset="cribl_search_sample"
 | summarize LatestEvent=max(start)
Run in Cribl Search

To learn more, see: Functions.

Virtual Tables

A virtual table in Cribl Search is a dynamically generated dataset that provides system information useful for troubleshooting, performance analysis, and testing.

For example, the $vt_dummy virtual table generates sample data:

dataset="$vt_dummy" event<10

To learn more, see: Virtual Tables.