-
Crowdstream - Bytes out size doubled
Hi Everyone We have integrated Azure Storage Account and Azure Application Gateway with CrowdStream (Cribl Stream) via EventHub. Since logs are in nested JSON format, we used unroll function to convert them into individual events before forwarding them to CrowdStrike NGSIEM. Currently, we are observing that Bytes Out size…
-
Find which worker node processed an event
Hi, Is there a way to find out which worker node processed an event, does it inject a field or can we configure it? Reason is we have some issues and this could narrow it down to a particular worker node. Cheers, Jay
-
filter expresion in route with wildcard
Hi, Maybe a simple answer (i hope). For a route we want to filer the host.name, but there are a lot of host in the list so a wildcard is the best way to filter. So doing like 'drnms10*.dmz.somewhere.nl' in the filter for the servers matching with this wildcard. But with a filter 'host == 'drnms10*.dmz.somewhere.nl'' wil…
-
what is the equivalent of Splunk should_linemerge in Cribl?
I am getting data into Cribl and it is by default breaking on each line (also when there is no timestamp). So, i have added manual event breaking based on timestamp. But it still the same behavior. Is there a way to disable line breaking on each line?
-
How does "teleporting" work in Cribl Stream and Edge?
How does the 'teleporting' function work on a technical level? Based on the documentation on ports (https://docs.cribl.io/stream/ports/), it seems no inbound ports need to be opened on worker or edge nodes for the feature to work. The leader node handles teleport functionality via port 4200. When teleporting to a node,…
-
Data to TCP JSON source it not captured
I am trying to send data to Cribl stream→ TCP Json source using curl command, and i can see the data is coming to Cribl worker node on the given port ( verified with tcpdump) but the same data is not being captured in the TCP JSON source. Any settings i am missing here?
-
My journey into sourcePQ and delays in events getting indexed in Splunk for low volume data sources
I am a long time Cribl & Splunk user, I have been on this platform for almost 5+ years now, and I have made my share of stupid stupid mistakes but learnt a lot about both Cribl & Splunk. In my journey to build a more resilient Cribl + Splunk environment with the constraints I do have($$ + time), I am constantly trying to…
-
Has anyone had experience integrating Proofpoint logs into Cribl Stream? If so, could you share any
I been trying to find some formal documentation on bringing Proofpoint logs into Cribl steam and wonder if anyone had some experience or documentation they could share. At the time of this writing, there's not a cribl available for proofpoint logging.
-
Database as data source for lookup
Hello, I would like to ask one thing: is it possible to use some database (SQL etc.) as a data source for lookup? One of our customers has a database that contains data that he would like to use to enrich events processed on Cribl Stream. The idea is that he would read the data from the database into Cribl Stream using a…
-
A working example of a script in Stream - Help me keep track of my goats
I am attempting to record which server logs are being collected, e.g. last seen, and I haven't found that capability yet. I am thinking I need something custom, maybe write to a file or a lookup. The cribl documentation doesn't provide much in the way of specifics when it comes to implementing scripts, except an ominous…