what is the equivalent of Splunk should_linemerge in Cribl?
I am getting data into Cribl and it is by default breaking on each line (also when there is no timestamp). So, i have added manual event breaking based on timestamp. But it still the same behavior. Is there a way to disable line breaking on each line?
Answers
-
Also tried with regex event breaking. that also not working.
0 -
If you can provide a sample of your event data structure, I might be able to provide an event breaker.
Also, please review this blog and video
1 -
The data is coming to Cribl via Splunk forwarder and as it is cooked data, the event breaker settings are not working at Cribl side. Should be fixed on Splunk first.
0 -
No necessarily. Cribl excels at manipulating your data. We can absolutely break the data in Cribl, and actually recommend it.
0 -
This sample data file onboarded to Cribl via Splunk UF and the data is parsed by default with each line as new event in Cribl. I don't want any breaking as it comes to Cribl.
0 -
If you haven't already, please review the linked video and blog above.
With only one event, I'm hoping this will work for you. Create this rule in a new Event Breaker ruleset. Save the rule, then the ruleset. Finally, apply it to your source. Once you commit and deploy, validate newly captured events show your new breaker in the
cribl_breaker
field.Cribl's event breaker rulesets are very flexible and powerful. Highly recommend you dig in on this topic.
Filter:
/^<authentication/.test(_raw)
Event Breaker Type: Regex
Event Breaker:[\r\n]+(?=<authentication)
Timestamp: Current time (I do not see any timestamp in your sample data)0