Scheduled Searches

Scheduled searches allow you to automate data analysis and save valuable time. By scheduling saved searches you can effectively monitor systems, optimize workflows, and send Notifications based on the evaluation of search results against a boolean condition. Use scheduled searches to aggregate data, compare results, identify anomalies, and analyze long-term trends.

For example, instead of manually running a search to gather information about login types and failures from the previous month, you can schedule a search to automatically aggregate this data at midnight on the first day of each month.

Scheduled searches can also send Notifications, based on specific conditions. This helps you stay informed about important events with no manual effort. You can send Notifications to different targets, including:

To schedule a search, save or edit an existing saved search, and then toggle Schedule on. The option to save a search is under the Actions menu on the bottom right of the query box or directly on the Saved tab.

Name: Give the search a meaningful name that will help you identify it easily.

Description: A description is optional.

Results Access: Defaults to Private where only you can view the result set. Select All Members to share the results. When a result set is created its access level is defined. If you edit this setting, only subsequent results will have the new setting.

Search String

Search string: This is the query; edit if needed. See how to build a search for details.

  • Sampling: Sampling uses a ratio to reduce the number of results returned from a search. For example, if a search returns 1,000 events, a 1:10 sampling ratio returns 100 events.
  • Time range: Set the window of time to search for events. See time range for details.

Schedule

Schedule: Toggle Run On Schedule on to configure the run frequency. The run frequency is specified by selecting the desired periods of time from the drop-down menus or with a custom cron expression that defaults to 0 0 * * *, every day at 12:00 AM.

  • Timezone: Select the time zone for the scheduled search to use. The default time zone is UTC.

Search Notifications

Notifications: When a Schedule is configured, you’ll see a Notifications tab. Click Add Notification to configure when, where, and what to send when boolean conditions are triggered.

  • Enabled: Toggled on by default to enable the Notification.
  • When: Select the type of trigger condition.
    • Where clause uses a boolean expression that when true triggers a Notification.
    • Count of Results applies a comparison over the trigger count you specify.
  • Send Notification To: Select an existing Notification target to deliver the Notification or click Create to create a new target. Target options include:
  • Include results table: Enable this option to include an HTML table in the Notification payload of up to 100 rows and 20 columns (if the result set is larger, Cribl Search will truncate it). Mind that in the table, text will wrap. To make the results more legible, limit the number of fields sent (using the project operator) and limit the length of each field (using the trim function).
  • Message: Message payload template.
    • Supports the following fields that are generated by the scheduled search: timestamp, searchId, tenantId, resultSet, savedQueryId, notificationId, and searchResultsUrl with the syntax {{fieldName}} where fieldName is the field (name) of interest. For example, Date: {{timestamp}}.
    • The message can contain a maximum of 1,000 characters.
Security Risk

Embedding unverified or unsanitized Search results into an email can pose unintended security risks. Cribl recommends reviewing or sanitizing the results prior to including them.

Currently, all Notifications, regardless of the configured Notification target, will also generate a bulletin message in the Search UI. Future releases of Search may separate the behavior so bulletins can be explicitly enabled or disabled per Notification.

Advanced

Advanced provides the option to set Keep last executions: This controls the number of result sets stored. Every hour, result sets are cleaned up based on this setting. So you can see more than the set number saved until they are cleaned at the next hour. The minimum allowed is 1, the default is 2, and the maximum is 1,000. This setting overrides the Search history maximum jobs and Search history TTL limits.

Rules

  • You can edit the schedule or query of a scheduled search and it will be used on subsequent runs.
  • Daylight savings time is automatically incorporated based on the selected time zone.

Results

Result sets from scheduled searches can be utilized by:

  • using the send operator to automatically send the results to Cribl Stream, for further routing and filtering.
  • opening the search from the History tab for review.

The History tab provides a filter on the top right of the table for Scheduled searches. The table provides details of each scheduled search, including its query, status, user, last run duration, and latest run time.

  • Click a row to view the scheduled search’s first result set.
  • Click N Items to view all of the result sets. From the shown result sets:
    • Click a row to view the results.
    • Click the Search ID to view the search’s details, helpful for troubleshooting.
  • The Actions column has options to Rerun and Save the search.
  • Delete one or many result sets by selecting check boxes on the left of a column and then clicking Delete Selected Jobs at the bottom left of the table.
Result Sets
Result Sets

Manage Scheduled Searches

You can view and manage your scheduled searches from the Saved tab. The saved searches table has a Scheduled filter and columns for Schedule and Next Run.

  • Click a row to view, edit, or delete a saved search.
  • The Actions column has options to Rerun and Clone the search.
  • To stop a scheduled search, toggle its schedule off when editing it.
Scheduled Searches
Scheduled Searches

If you want to view the results of a previously run scheduled search, navigate to the History tab. See the above Results section for details.

Last updated by: Dritan Bitincka