Is there any workaround to send uncooked data from Splunk HF to Cribl?
Hey, Is there any workaround to send uncooked data from Splunk HF to Cribl? (dest::Splunktcp) The issue is that the EB(Cribl) is not taking any effect (I'd read before it will be skipped by design limitations). tried to set sendCookedData = false but the data flow had stopped eventually, then added negotiateProtocolLevel = 0 but it didn't help, other trial was to use dest::tcp source but ingestion has stopped as well. Any ideas how we can overcome this scenario.
Answers
-
Cribl can totally process data that has already been processed by a HF before
0 -
The other way wouldn't work (without ugly hacks)
0 -
Then how can it re-process them although it skips the EB in Cribl source
0 -
Oh, that's supposed to mean event breaker
0 -
So, what issue do you have? Are your events improperly broken on the HF, and how?
0 -
Is one event containing multiple events? That could be fixed. Is one event only containing parts of one event? That's something that can't really be fixed later
0 -
The latter unfortunately, thats why I'm not using the event breaker function in the pipeline
0 -
Yeah, that's something you need to fix on the HF (or bypass it ")
0
