Can you use __hecToken as a filter condition for the breaker?

Shawn Cannon · September 2023

I am trying to create an event breaker to add to a HEC source. Can you use __hecToken as a filter condition for the breaker or does the breaker happen before that internal field gets added?

Shawn Cannon · September 2023

I dont need this breaker to apply to all the data coming into this HEC source

Brandon McCombs · September 2023

see diagram here for the order: https://docs.cribl.io/stream/event-processing-order#

Brandon McCombs · September 2023

short answer: breaker comes before the metadata fields

Shawn Cannon · September 2023

ok so i can use _raw.includes ?

Shawn Cannon · September 2023

or _raw.indexOf ?

Brandon McCombs · September 2023

yes

Shawn Cannon · September 2023

Thanks!

SonOfBuzi · September 2023

In my experience i was able to use __hecToken as filter condition

Can you use __hecToken as a filter condition for the breaker?

Answers

Categories