We have updated our Terms of Service, Code of Conduct, and Addendum.

I have a problem with some of the data coming into Cribl from Splunk

I have a problem with some of the data coming into Cribl from Splunk. It isn't going through linebreaking properly (so it seems). From the UFs it does the linebreaking properly, but from an HF it doesn't. I'm thinking it is because the data is cooked from the HF. When I change the outputs.conf file (as per the Splunk docs) to `sendCookedData = false` , the data doesn't seem to even make it to Cribl. What am I doing wrong?

Answers

  • David Maislin
    David Maislin Posts: 228 mod

    No need to cross post to that other Slack community group with regard to Cribl. We got your back!

  • Jon Rust
    Jon Rust Posts: 443 mod

    HFs do event breaking before it reaches Cribl. If ur going to keep the HF in front, it will need props updates to properly break

  • Jon Rust
    Jon Rust Posts: 443 mod

    Once in Cribl, we can break further, but can't stitch back together

  • David Maislin
    David Maislin Posts: 228 mod

    What he said!!

  • Jon Rust
    Jon Rust Posts: 443 mod

    Ok. I can easily do event breaking on the Splunk side.

  • Jon Rust
    Jon Rust Posts: 443 mod

    So the UFs we don't have to do any processing, but the HFs sending to Cribl will have to do at least basic processing on the events in order to process the events correctly. Right?

  • David Maislin
    David Maislin Posts: 228 mod

    Any reason why the UFs can't just send to Cribl directly?

  • Jon Rust
    Jon Rust Posts: 443 mod

    Yeah, afaik you can't turn off EB functions on HFs

  • Jon Rust
    Jon Rust Posts: 443 mod

    I'd argue we make EB far easier to manage:)

  • Jon Rust
    Jon Rust Posts: 443 mod

    I'd be happy to jump on a zoom and give a demo/lesson on EBs in Cribl

  • Jon Rust
    Jon Rust Posts: 443 mod

    Most yes, but things like the SHs and IDXs were going to be sending their data to Cribl for additional processing of sorts. Now that may be unnecessary.

  • Jon Rust
    Jon Rust Posts: 443 mod

    Totally possible. Eg, we can unroll events more than done on first pass in HF. But we can't stitch back together

  • Jon Rust
    Jon Rust Posts: 443 mod

    We do have some data that is coming from old HFs that we cannot change the source back to UFs.

  • Jon Rust
    Jon Rust Posts: 443 mod

    Let's get some time on the calendar to talk it through. I'll send you a calendly dealio soon (ooo right now)

  • Jon Rust
    Jon Rust Posts: 443 mod

    :+1::skin-tone-2:

  • David Maislin
    David Maislin Posts: 228 mod

    <@ULBGHDPNY&gt; I'm curious regarding this thread, because when i turn off sendCookedData from UF the data doesn't seem to make it to Cribl. I use Splunk TCP push and in Cribl documentation it also says to set sendCookedData=true. I would like to receive the data uncooked to forward it to Splunk & Qradar.