Best way to repopulate S3 data into Splunk?

Norman Morris

We are wanting to use Cribl to repopulate cloud trail logs from S3 into Splunk on-demand for review/audit/analysis purposes. Ideally, we would be able to request from within Splunk, but we could also query within Cribl to pull the data if necessary. Are there any best practices or use-cases that you can provide?

Jon Rust

Our docs cover this scenario. There have also been a few blogs.

Personally, I'd start in Cribl Search, refine the target dataset there, and maybe even report on it there. If that reporting isn't good enough, I'd use the send operator to export the dataset direct to Splunk, or through Cribl Stream to route as needed.