Are there any best practices to collect cribl logs and forward to Splunk?
Hello everyone - are there any best practices to collect cribl logs and forward to Splunk? I am exploring `Cribl Internal` source, but it isn't providing data in JSON format.
Answers
-
It's not creating a _raw field. However, whenever you send an event that does not have a _raw field to Splunk, Cribl will automatically take all the fields of that event, convert them into a JSON and write that to _raw
0 -
Leader Node logs would need a collection agent of some sort. I'd recommend Edge :slightly_smiling_face: Worker Node logs are handled by the Internal sources (Data -> Sources) and are delivered in JSON. YOu can route them to Splunk via S2S or HEC, but I'd recommend using Serialize to push all the bare JSON fields into a _raw object
0 -
You can easily enable the cribl internal logs src and route to splunk destination. As noted - to get logs from the cribl leader in distributed deployment you will need another agent such as cribl edge or a splunk UF. If your enabling and routing the cribl internal metrics to splunk be sure to setup a splunk metric index type.
0 -
Thank you everyone for quick response. I could see data in json after forwarding to splunk through splunk hec dest.
0 -
regarding leader node, my deployment is in k8s, so is there any quick ways instead of baking edge on leader node's k8s deployment?
0
