Cribl Search Notebooks
Run an entire investigation in one tab, and share your work with others.
Why Use Notebooks
A Notebook is a document-like workspace in Cribl Search where you and other data analysts can combine search queries, data visualizations, and Markdown notes into persistent, shareable investigations. Here’s what you can do with Notebooks:
- Iterate: Run and maintain multiple searches next to one another, for faster, more-efficient investigations.
- Annotate: Add context and clarity with markdown notes for rich storytelling.
- Collaborate: Share your work through fine-grained edit or read-only access.
- Control: See who last edited your Notebook, and when.
- Summarize: Use Cribl Copilot to generate summaries of your findings, and to run queries from natural-language prompts.
Start working with Notebooks from anywhere in Cribl.Cloud: On the top bar, select Products > Search > Notebooks.
What’s in a Notebook
A Notebook consists of search cells and note cells.
When a Notebook is shared, Maintainers can add and edit cells, drag cells up and down, and clone the Notebook. Read Only users can view the cells and their results. Read more about Notebooks access.
Start a New Notebook
You can create an empty Notebook, and then add searches and notes as needed.
- Go to the Notebooks page in Cribl Search: On the top bar, select Products > Search > Notebooks.
- Select Add Notebook. Your new Notebook opens and gets autosaved.
- Start running searches and adding notes.
You can start a Notebook from a search you just ran.
- Start running your search from Search Home.
- Select the Actions drop-down, and select Add to Notebook.
- Enter the Notebook name.
- Enter the Cell title. This will be the name of the search cell in your Notebook.
- Select Add & Go to Notebook.
You can turn any saved search (as long as it’s not part of a Pack) into a Notebook search cell, creating a new Notebook.
- Go the Saved Searches page in Cribl Search: On the top bar, select Products > Search > Saved Searches.
- Select the Actions button to the right of a search, and select Add to Notebook.
- Enter the Notebook name.
- Enter the Cell title. This will be the name of the search cell in your Notebook.
- Select Add & Go to Notebook.
You can turn any search kept in History into a Notebook search cell, creating a new Notebook.
Go the History page in Cribl Search: On the top bar, select Products > Search > History.
Select the Actions button to the right of a search, and select Add to Notebook.
Enter the Notebook name.
Enter the Cell title. This will be the name of the search cell in your Notebook.
Select Add & Go to Notebook.
Add Searches to Your Notebook
You can run multiple new searches directly from your Notebook. You need to be the Notebook’s Maintainer for this.
- Open an existing Notebook or create a new one.
- At the bottom of the Notebook, select New Search. A cell with a query box opens.
- Run your query, as you would anywhere else in Cribl Search. To learn how, see some quick examples, or this tutorial: Write Your First Query. If your Organization has Cribl Copilot enabled, you can also use your search cells to run natural-language queries.
- To add another query, select New Search again. You can start another search while the first one is still running.
Alternatively, you can create a new search cell by selecting a field within a field summary or event details panel, and then selecting Add field to new cell from the resulting context menu.
You can add a search you just ran to an existing Notebook. You need to be the Notebook Maintainer for this.
- Start running your search from Search Home.
- Select the Actions drop-down, and select Add to Notebook.
- Select Use Existing.
- Select the Notebook.
- Enter the Cell title. This will be the name of the search cell in your Notebook.
- Select Add & Go to Notebook.
You can turn any saved search (as long as it’s not part of a Pack) into a Notebook search cell, adding it to an existing Notebook. You need to be the Notebook Maintainer for this.
- Go the Saved Searches page in Cribl Search: On the top bar, select Products > Search > Saved Searches.
- Select the Actions button to the right of a search, and select Add to Notebook.
- Select Use Existing.
- Select the Notebook.
- Enter the Cell title. This will be the name of the search cell in your Notebook.
- Select Add & Go to Notebook.
You can turn any search kept in History into a Notebook search cell, adding it to an existing Notebook. You need to be the Notebook Maintainer for this.
- Go the History page in Cribl Search: On the top bar, select Products > Search > History.
- Select the Actions button to the right of a search, and select Add to Notebook.
- Select Use Existing.
- Select the Notebook.
- Enter the Cell title. This will be the name of the search cell in your Notebook.
- Select Add & Go to Notebook.
Add Notes to Your Notebook
You can add markdown-formatted notes to your Notebook using headings, lists, links, and more. See Markdown Guide for basic syntax.
You need to be the Notebook Maintainer for this.
- Open an existing Notebook or create a new one.
- At the bottom of the Notebook, select Add Note. A new note cell opens.
- Write your notes using markdown. The Notebook gets autosaved.
Summarize Your Notebook With Cribl Copilot
If your Organization has Cribl Copilot enabled, you can generate an AI summary of your Notebook findings.
- Open an existing Notebook or create a new one.
- In the top-right corner, select Summarize.
A summary of your Notebook appears in a new note cell at the top of the Notebook. You can edit the summary as needed.
Customize Notebook Display
To make your Notebook easier to skim, you can manage how much detail the Notebook displays. In the top-left corner of each cell, a Collapse/Expand toggle enables you to reduce the cell’s vertical depth to a summary view.
In the top-right corner of the Notebook itself, the Actions drop-down provides two toggles to manage the appearance of the whole Notebook:
Select Collapse All Cells or Expand All Cells to control the vertical spread of all cells at once.
Select Wide Layout or Default Layout to control the horizontal width available for Notebook contents.
Export Notebook Search Results
You can export the results of a Notebook search as a CSV or NDJSON file.
- Open an existing Notebook or create a new one.
- In a search cell, select the Actions button.
- From the drop-down, select Export as, and then either Export Results as CSV or Export Results as NDJSON.
Export a Notebook Chart
You can export a Chart contained in a Notebook search cell, as a JPG or PNG file.
- Open an existing Notebook or create a new one.
- In a search cell, select the Actions button.
- From the drop-down, select Export as, and then either Export Chart as JPG or Export Results as PNG.
Export Your Notebook as a PDF
You can download your Notebook as a PDF file.
- Open an existing Notebook or create a new one.
- In the top-right corner, select the Actions button.
- From the drop-down, select Print to PDF, and then save the file.
Share Your Notebook
As a Maintainer, you can allow others to view or edit your Notebooks at any time. For example, you might want to:
- Invite colleagues to join the investigation and contribute their expertise.
- Let others retrace your steps and pick up where you left off.
- Tell the full story behind your analysis, so stakeholders can understand how you reached your conclusions and review any assumptions you made.
- Grant limited access rights on your Notebooks to service accounts that connect to Cribl Search via API.
To share a Search Notebook with a Member, Team, or API Credential whose Search Permission is Editor or User:
Open an existing Notebook for which you are a Maintainer or create a new one.
In the top-right corner, select the Share button. Now, you can see who has access to the Notebook and at what level.
Under Add Members, Teams, and API Credentials:
- From the left drop-down menu, select the Member, Team, or API Credential that you want to share the Notebook with.
- From the right drop-down menu, select the Notebook Permission you want to grant: Read Only or Maintainer. For details, see Cribl Search Notebooks Permissions.
Select Add Access.
Select Save.
Admin Members, Teams, and API Credentials have the Maintainer Permission on all Notebooks by default.
To modify or remove access on a Search Notebook, find the Member, Team, or API Credential in the list on the Sharing pane. Select the desired Permission from the drop-down menu in the Permission column and save. Selecting No Access removes all access rights on the Notebook.
To copy a link to a specific cell, select the link icon in the cell’s top-left corner.
Synchronize or Lock Edits
As a Notebook creator, or with a Maintainer or higher Permission: When you save changes to a Notebook, a pop-up will alert you to any changes that other collaborators have made since your last save. In this read-only state, you will be required to reload the Notebook before saving.
You also have the option to lock a shared Notebook into a read-only state for other collaborators (as well as yourself). This is useful if you need to freeze a completed investigation’s results, to preserve their integrity against further changes.
In the Actions drop-down at the top-right corner of the Notebook, select the Lock Notebook toggle to preserve the current Notebook state. Select Unlock Notebook to make the Notebook editable again.
Notebooks Retention
Notebooks have a hard-coded 30-day retention period to facilitate extended investigations. Exceeding the Search history job limit will cause other jobs to be removed before Notebook jobs, to respect this extension.