Search Queries

Abhishek Christian · April 15

How to search ipv4 range through Cribl search. What would be the syntax
I want to know whether we can search fields from raw logs or only parsed fields can be searched?

Jon Rust · April 16

where ipv4_is_private(src)

2. Try the Cribl Search _raw Data option for your data:

Jon Rust · April 15

Click the question mark to the left of the query box, then go to INET Functions. There are a number of IP search functions there, like ipv4_compare, ipv4_is_match, ipv4_is_private, etc.
I refer to the docs for Datatypes. Short answer, if I'm understanding the question, is yes, you can search for strings, patterns, and fields contained in the raw logs. But Cribl needs to know some info about the data in order for it to work. Is it K=V, or JSON, or CSV? If CSV, what is the field layout/schema? These things need to be defined by you unless it is a preconfigured, well-known log format.

Abhishek Christian · April 16

1. I tried for example, where ipv4_is_private('192.168.0.1/20') is able to fetch results. However, we want to narrow it down to SRC IP or Dest IP results. I tried where src('192.168.0.1/20') but it doesn't return results and gives an error about unknown kusto function. Src and Dst are there in raw data.

2. Datatype used is Cribl search which has event breaker type as JSON Newline Delimited with no Parsers. This is for archiving in blob. When we search, we only get fields host, input_id and source on left hand bar and everything else is tagged under raw.

Jon Rust · April 16

where ipv4_is_private(src)

2. Try the Cribl Search _raw Data option for your data:

Search Queries

Best Answer

Answers

Categories