I hope you are doing well.
We have been using Cribl to transform all our logs before they hit Splunk. We want to CIM the fields. Is there a way to do it?
Thank you so much
For sure. Cribl gives you complete control rename fields and/or move data around. It is not an easy button tho. You'll need to know your data and how it maps into CIM.
I put together an example of this sort of thing in the Cisco ASA https://packs.cribl.io|pack
Another good example is this pack:
https://packs.cribl.io/ -> AWS VPC Flow for Security Teams
Thank you so much.