Summary:

The Cribl Search App provides a custom generating search command named ‘criblsearch’ that dispatches a Cribl-compatible search query to remotely execute in Cribl and return results against the dataset(s) specified in the query.

Details:

  • The custom command criblsearch accepts a required argument query. This argument can contain any Cribl-compatible search operation as long as it contains one dataset specified.
    See here for how to build a search.
  • The command can also accept three optional arguments:
    • sourcetype that can be assigned to the returned results. If no sourcetype is specified, a default sourcetype of criblsearch:cmd:events is assigned.
    • log_level that can be specified to override the default INFO log level. This is useful to generate debug level logs for a specific query.
    • group that can be specified to override what was specified during the initial setup. Cribl has only default group available. So this option is currently redundant and serves as a placeholder in case named groups can be specified in future releases.
  • Once results are fetched using this command, you have the option to use any transforming commands followed by writing results to an index / lookup file using outputlookup or collect commands for further processing.
  • The execution of search also produces a log file criblsearch.log and is indexed into _internal index in Splunk with sourcetype criblsearch:cmd:log. The default logging level is INFO but can be overridden by setting log_level=DEBUG parameter during runtime.
  • The Cribl Search app comes with a dashboard Criblsearch Executions for a quick look at the job executions, status, contextual info and logs for all or any specific job for troubleshooting purpose.

Installation

The app is super simple to install.

  • Download the app after filling out the form on this page.
  • Install the app on a search head.
  • Once Installed, you will be asked to setup the application via Setup page
  • Enter the Cribl Leader URL
  • If its a managed cribl.cloud instance, enter Client ID and Client Secret, which in turn will be used to retrieve a temp token every time a search is run.
  • Client ID and Client Secret can be created or existing ones retrieved from the Cribl cloud instance’s Account (top right) -> Organization -> API Management Tab
  • If self-hosted instance, enter username and password which will similarly be used to retrieve a temp token every time a search is run
  • Group value is default. No need to change this as this is reserved for future use.
  • Click Submit
  • Open a search window and use the command as per usage instructions.

Troubleshooting/Support

Support email: support@discoveredintelligence.ca

Licensing

Creative Commons BY-ND 4.0