I have a problem with some of the data coming into Cribl from Splunk
I have a problem with some of the data coming into Cribl from Splunk. It isn't going through linebreaking properly (so it seems). From the UFs it does the linebreaking properly, but from an HF it doesn't. I'm thinking it is because the data is cooked from the HF. When I change the outputs.conf file (as per the Splunk docs) to `sendCookedData = false` , the data doesn't seem to even make it to Cribl. What am I doing wrong?
Answers
-
No need to cross post to that other Slack community group with regard to Cribl. We got your back!
0 -
HFs do event breaking before it reaches Cribl. If ur going to keep the HF in front, it will need props updates to properly break
0 -
Once in Cribl, we can break further, but can't stitch back together
0 -
What he said!!
0 -
Ok. I can easily do event breaking on the Splunk side.
0 -
So the UFs we don't have to do any processing, but the HFs sending to Cribl will have to do at least basic processing on the events in order to process the events correctly. Right?
0 -
Any reason why the UFs can't just send to Cribl directly?
0 -
Yeah, afaik you can't turn off EB functions on HFs
0 -
I'd argue we make EB far easier to manage:)
0 -
I'd be happy to jump on a zoom and give a demo/lesson on EBs in Cribl
0 -
Most yes, but things like the SHs and IDXs were going to be sending their data to Cribl for additional processing of sorts. Now that may be unnecessary.
0 -
Totally possible. Eg, we can unroll events more than done on first pass in HF. But we can't stitch back together
0 -
We do have some data that is coming from old HFs that we cannot change the source back to UFs.
0 -
Let's get some time on the calendar to talk it through. I'll send you a calendly dealio soon (ooo right now)
0 -
:skin-tone-2:0 -
<@ULBGHDPNY> I'm curious regarding this thread, because when i turn off sendCookedData from UF the data doesn't seem to make it to Cribl. I use Splunk TCP push and in Cribl documentation it also says to set sendCookedData=true. I would like to receive the data uncooked to forward it to Splunk & Qradar.
0
