We have updated our Terms of Service, Code of Conduct, and Addendum.

Are there any best practices to collect cribl logs and forward to Splunk?

Options

Hello everyone - are there any best practices to collect cribl logs and forward to Splunk? I am exploring `Cribl Internal` source, but it isn't providing data in JSON format.

Answers

  • xpac xpac
    xpac xpac Posts: 148 ✭✭✭
    Options

    It's not creating a _raw field. However, whenever you send an event that does not have a _raw field to Splunk, Cribl will automatically take all the fields of that event, convert them into a JSON and write that to _raw

  • Jon Rust
    Jon Rust Posts: 439 mod
    Options

    Leader Node logs would need a collection agent of some sort. I'd recommend Edge :slightly_smiling_face: Worker Node logs are handled by the Internal sources (Data -> Sources) and are delivered in JSON. YOu can route them to Splunk via S2S or HEC, but I'd recommend using Serialize to push all the bare JSON fields into a _raw object

  • Ben Marcus
    Ben Marcus Posts: 27 mod
    Options

    You can easily enable the cribl internal logs src and route to splunk destination. As noted - to get logs from the cribl leader in distributed deployment you will need another agent such as cribl edge or a splunk UF. If your enabling and routing the cribl internal metrics to splunk be sure to setup a splunk metric index type.

  • Martin Prado
    Options

    Thank you everyone for quick response. I could see data in json after forwarding to splunk through splunk hec dest.

  • Martin Prado
    Options

    regarding leader node, my deployment is in k8s, so is there any quick ways instead of baking edge on leader node's k8s deployment?