Jumping Out Looking for Community Support
Starting off with a basic question, will add more I mature in the community-sphere. Checked best practices for packs - Best Practices for Reduction with Cribl Packs - Curious + Community and there is no comment about performing multiple drops within one drop function. We created a custom pack to reduce level debug and level metadata for a customer going to Splunk and then Elastic. The customer is not getting any data into Elastic from Splunk after the pack implementation. Starting down this path the first question is should we seperate debug and metadata drops into its own drop function?
Comments
-
Can see the rules you've set-up and sample log data? Would help a ton in troubleshooting.
Generally speaking, you can easily use 1 Drop function to impact multiple types of logs with the filter statement.
_raw.includes('something') || /someregex/.test(somefield) || someotherfield == 'noneshallpass'Put the most commonly matched expression first in line.
0
