Summary:
The Cribl Search App provides a custom generating search command named ‘criblsearch’ that dispatches a Cribl-compatible search query to remotely execute in Cribl and return results against the dataset(s) specified in the query.
Details:
- The custom command criblsearch accepts a required argument query. This argument can contain any Cribl-compatible search operation as long as it contains one dataset specified.
See here for how to build a search. - The command can also accept three optional arguments:
- sourcetype that can be assigned to the returned results. If no sourcetype is specified, a default sourcetype of criblsearch:cmd:events is assigned.
- log_level that can be specified to override the default INFO log level. This is useful to generate debug level logs for a specific query.
- group that can be specified to override what was specified during the initial setup. Cribl has only default group available. So this option is currently redundant and serves as a placeholder in case named groups can be specified in future releases.
- Once results are fetched using this command, you have the option to use any transforming commands followed by writing results to an index / lookup file using outputlookup or collect commands for further processing.
- The execution of search also produces a log file criblsearch.log and is indexed into _internal index in Splunk with sourcetype criblsearch:cmd:log. The default logging level is INFO but can be overridden by setting log_level=DEBUG parameter during runtime.
- The Cribl Search app comes with a dashboard Criblsearch Executions for a quick look at the job executions, status, contextual info and logs for all or any specific job for troubleshooting purpose.
Installation
The app is super simple to install.
- Download the app after filling out the form on this page.
- Install the app on a search head.
- Once Installed, you will be asked to setup the application via Setup page
- Enter the Cribl Leader URL
- If its a managed cribl.cloud instance, enter Client ID and Client Secret, which in turn will be used to retrieve a temp token every time a search is run.
- Client ID and Client Secret can be created or existing ones retrieved from the Cribl cloud instance’s Account (top right) -> Organization -> API Management Tab
- If self-hosted instance, enter username and password which will similarly be used to retrieve a temp token every time a search is run
- Group value is default. No need to change this as this is reserved for future use.
- Click Submit
- Open a search window and use the command as per usage instructions.
Troubleshooting/Support
Support email: support@discoveredintelligence.ca