Commands

You can quickly manage searches, metadata, and set-statement options, by using the following commands:

• .cancel – Cancel queued or running searches.
• .clear options – Disable set-statement options.
• .drop all metadata – Delete metadata generated for a dataset.
• .generate metadata – Generate metadata for a dataset.
• .show objects – Learn more about your datasets.
• .show options – View set-statement options configured for your account.
• .show queries – View searches based on their IDs, status, or the users running them.

About Commands​

Unlike functions and operators, commands start with a period. For example:

.show objects

How commands work depends on your Search Member Permissions. For example, User Search Members can manage only their own searches, but Admin Search Members can manage the searches of all users in the organization.

You can combine commands with operators. For example, to show queued queries that were created more than 10 minutes ago:

.show queued queries
 | where timeCreated < ago(10min)

However, you can’t use commands in subqueries. For example, this won’t work:

// invalid example
let stage1 = .show objects(cribl_search_sample);

For more transparency, you can provide a reason why you’re using a particular command. The reason will be added to the Cribl Search audit log. For example:

.cancel running queries with(reason = "Time is up.")

Manage Searches with Commands​

You can manage your or your users’ searches straight from the query box, using the following commands:

• .show queries – View searches based on their IDs, status, or the users running them.
• .cancel – Cancel queued or running searches.

View Searches​

To display searches based on their IDs, status, or the users running them, use the .show queries command.

User and Editor Search Members can view only their own searches. Admin Search Members can view the searches of all users in the organization.

To view all queued or running searches:

.show all queries

To view all queued searches:

.show queued queries

To view searches that are being run by specific users:

.show running queries by user "Jane*"

The results are not affected by the set time range.

Cancel Searches​

To stop queued or running searches, use the .cancel command.

User and Editor Search Members can cancel only their own searches. Admin Search Members can cancel the searches of all users in the organization.

To cancel a specific search:

.cancel query "1693827597495.ji5y5g"

To cancel searches that are queued or being run by specific users:

.cancel queries by user("John Doe", "Jane*")

To cancel all currently running searches:

.cancel running queries

The results are not affected by the set time range.

Manage Set-Statement Options with Commands​

You can manage your or your users’ set-statement options straight from the query box, using the following commands:

• .clear options – Disable set-statement options.
• .show options – View set-statement options configured for your account.

View Set-Statement Options​

To see set-statement options configured for your account, use the .show options command.

To view all options configured for you:

.show options

To view only those options that are not overridden by other settings:

.show active options

Disable Set-Statement Options​

To disable set-statement options, use the .clear options command.

To disable all options configured for your own account:

.clear options

As an Admin Search Member, to disable all options for all users in the usage group:

.clear global options

Manage Metadata with Commands​

To manage metadata that Cribl Search can optionally generate for your datasets, use the following commands:

• .generate metadata – Generate metadata for a dataset.
• .drop all metadata – Delete metadata generated for a dataset.

Generate Metadata for a Dataset​

Although you can point Cribl Search at any source and start searching immediately, you can also choose to improve search performance by enriching selected portions of your data with metadata. For this, use the .generate metadata command:

1. First, check which datasets already contain metadata, using the $vt_object_list_summary virtual table:

   dataset="$vt_object_list_summary"

   Run in Cribl SearchCopy
2. Then, run the .generate metadata command. For example:

   .generate metadata(cribl_search_sample)

   Run in Cribl SearchCopy

   If you plan to run .generate metadata on large datasets, consider adjusting the Running time limit.

3. When the command finishes running, check metadata generated during the analysis, using the $vt_object_list virtual table. For example:

   dataset="$vt_object_list" datasetId=cribl_search_sample

   Run in Cribl SearchCopy

To automatically prescan your data on a regular basis, use dataset acceleration.

Delete Metadata​

To delete metadata generated for a dataset, use the .drop all metadata command. For example:

.drop all metadata(cribl_search_sample)

Learn More About a Dataset​

To learn more about your organization’s datasets, use the .show objects command.

For example, to list the five largest objects in a dataset called cribl_search_sample, use the following command:

.show objects(cribl_search_sample)
| top 5 by size

The results are filtered by the set time range.