Can Cribl handle the Splunks functionality of assigning default fields dynamicaly?

Philipp Gerke · September 2023

Does anyone knows, if Cribl can handle the Splunks functionality of assigning default fields dynamicaly withe the folowing line in the logs: `SPLUNK <metadata field>=<string> <metadata field>=<string> ...` https://docs.splunk.com/Documentation/Splunk/latest/Data/Assignmetadatatoeventsdynamically. If not I would go with a 2 step linebreaking process

David Maislin · September 2023

Eval function setting top level fields? Is that what you mean?

Philipp Gerke · September 2023

Its a different way to lable data with splunks metafields which should be processed on the first full splunk instance or in this case cribl. If I understand the process correctly First comes the Header ,the 1 to n events, which are then labeld with the headers metadata fields https://helgeklein.com/blog/splunk-scripted-input-secrects/

David Maislin · September 2023

If events show up with that format Cribl could pull those fields out with Regex, Eval or Parser, cleanup the event and pass to Splunk cooked and ready to go.

xpac xpac · September 2023

Because we just discussed this <@U01C35EMQ01> - it's HEADER_MODE in props.conf and e.g. UberAgent uses this

Can Cribl handle the Splunks functionality of assigning default fields dynamicaly?

Answers

Categories