Connect Cribl Search to Azure Log Analytics
Configure Cribl Search to query log data stored in Azure Log Analytics workspaces.
In this guide, you will set up a Dataset Provider and a Dataset to search log tables in an Azure Log Analytics workspace.
Before You Start
Azure prerequisites:
- Create an App Registration in Microsoft Entra ID. Assign the Log Analytics Reader role to this app registration on the target Log Analytics workspace. See Microsoft’s guide to registering an application for details.
- Collect the following values from the app registration before configuring the provider:
- Tenant ID (your Microsoft Entra tenant GUID)
- Client ID (the application client ID)
- Client Secret (the secret value, not the secret ID)
- Workspace ID (the Log Analytics workspace GUID)
Network prerequisites:
- The Cribl Search Leader node must have outbound HTTPS access to
api.loganalytics.ioandlogin.microsoftonline.com. - If your environment restricts outbound traffic, allowlist the Leader node egress IP in your firewall or network policy before saving the provider.
Add an Azure Log Analytics Dataset Provider
A Dataset Provider tells Cribl Search where to query and stores the access credentials for that connection.
To add a new Azure Log Analytics Dataset Provider, select Data, then Dataset Providers, then Add Provider.
Set the following configurations in the New Dataset Provider modal:
- ID is a unique identifier for the Dataset Provider. This is how you will reference it when assigning Datasets to it. Start the ID with a letter. The rest of the ID can use letters, numbers, and underscores (for example,
my_log_analytics_provider). - Description is optional.
- Set Dataset Provider Type to Azure Log Analytics.
- Enter the following values from your Microsoft Entra app registration:
- Tenant ID is the GUID of your Microsoft Entra tenant.
- Client ID is the GUID of the app registration.
- Client Secret is the secret value for the app registration. Enter the secret value, not the secret ID. The secret is stored encrypted at rest.
- Workspace ID is the GUID of the Log Analytics workspace this provider connects to.
- Select Save when finished.
When you save the provider, Cribl Search runs an automatic connectivity check against the configured workspace. If the check fails, a message appears explaining the cause. See Connectivity Check Errors for guidance on each error type.
Connectivity Check Errors
The connectivity check runs a lightweight query (print 1) against the workspace with a 30-second timeout. Failures return one of the following messages:
| Error message | Cause and resolution |
|---|---|
| Invalid client secret. Use the secret value (not the secret ID) and confirm the secret has not expired. | The secret value was incorrect or has expired. Re-enter the correct secret value from the app registration. |
| Invalid tenant ID. Verify the Microsoft Entra tenant ID is correct. | The tenant ID does not match a valid Microsoft Entra directory. Check the value and re-enter it. |
| Invalid client ID. Verify the application (client) ID is correct. | The app registration was not found in the specified tenant. Verify the client ID. |
| Invalid credentials. Verify your tenant ID, client ID, and client secret. | Authentication failed. Check all three credential fields for typos or expired values. |
| Application not provisioned. Ask your Microsoft Entra administrator to grant admin consent for the application in your tenant. | The app registration exists but admin consent has not been granted in this tenant. Contact your Microsoft Entra administrator. |
| Insufficient permissions. Verify the application has the Log Analytics Reader role and has been granted access to this workspace. | The app registration was authenticated successfully but lacks the Log Analytics Reader role on this workspace. |
| Workspace not found. Verify the workspace ID is correct and belongs to the configured tenant. | The workspace GUID does not match a workspace accessible in this tenant. Confirm the workspace ID. |
| Azure Log Analytics is temporarily unavailable. Try again in a few minutes. | Microsoft returned a 5xx error. Retry after a brief wait. If the problem persists, check the Azure status page. |
| Unable to reach Azure Log Analytics. Check your network connectivity and firewall settings. | The Leader node could not reach api.loganalytics.io or login.microsoftonline.com. Verify network access and egress allowlists. |
Add an Azure Log Analytics Dataset
Now you will add a Dataset that tells Cribl Search which log table to query within the provider’s workspace.
To add a new Dataset, select Data, then Datasets, then Add Dataset.
Set the following configurations in the New Dataset modal:
- Select the Dataset type: Federated Dataset.
- ID is an identifier unique for both Cribl Search and Cribl Lake. You will use this to specify the Dataset in a query’s scope. Start the ID with a letter. The rest of the ID can use letters, numbers, and underscores (for example,
my_la_dataset). - Description is optional.
- Set Dataset Provider to the ID of an Azure Log Analytics provider, then configure the following fields:
- Table or query (required) is the source of data for this Dataset. Enter a bare table name such as
SecurityEvent, or a KQL expression such asSecurityEvent | where EventID in (4624, 4625). The value must not contain control commands (.drop,.clear,.delete,.alter,.create,.rename). You can include operators likeextend,project,summarize, andsortin this field. When you run a Cribl Search query against this Dataset, filter conditions (such aswhere) are sent to Azure for server-side execution when possible, while other operations run locally on the Cribl Search Leader. - Timestamp field (optional, defaults to
TimeGenerated) is the field promoted to the canonical_timefield in Cribl Search results. - Timestamp field contents (optional, defaults to
kusto_datetime) is the data format of the timestamp field. Select from the following options:kusto_datetime: Kusto datetime scalar type (default)epoch_sec: Unix epoch secondsepoch_millis: Unix epoch millisecondsiso_string: ISO 8601 string
- Table or query (required) is the source of data for this Dataset. Enter a bare table name such as
- In Processing, you can apply rules for breaking data into discrete events. For more information, see Datatypes.
- Select Save when finished.
The Table or query field currently requires a non-empty value. Support for blank-table Datasets (where the analyst provides the full table reference in the query) is planned for a future release.
Search Azure Log Analytics
Now that you have a Dataset Provider and Dataset, you are ready to start searching.
dataset="my_la_dataset" | limit 1000It can take a few moments for a search to start returning results on the first run.
Search Row Limits
Cribl Search enforces a 50,000 row limit per query. When the entire query can be executed on the Azure side, this limit is appended to the KQL as | limit 50000. If your query already contains a | limit clause, KQL applies whichever value is lower. When the query includes operations that run locally in Cribl Search (such as aggregations), the limit is enforced locally instead.
Microsoft enforces separate per-query limits: 500,000 rows, ~100 MB response size (~64 MB compressed), and a 3-minute query timeout. If a response hits one of these limits, Cribl Search returns the rows that were received and records a warning in the Search logs. To reduce the likelihood of truncation, add filters to your query or Dataset scope, or reduce the time range of the search.