Unanswered questions

Hi all i am having issue parsing nested Json the event goes like {  "records": [    {      "time": "2025-12-18T17:25:46.3598689Z",      "operationName": "Publish"}{"time": "2025-12-18T17:25:46.3598689Z",      "operationName": "Publish"}  ],  "_time": 1766078828.252,  "index": "index",  "sourcetype": "sourcetype",  "source": "source"}so basically, records field have multiple Json event Nested in it  i want to extract to individual events with parent fields like metadata carried to each right now when i use event breaker i am getting no change can someone help me  

Hello everyone! I’m quite new to Cribl, but I’ve spent about 10-20 hours so far reading the documentation. I’d like to send Windows event logs from on-prem servers and workstations to Azure Storage with the sort of parsing/normalisation that you’d have from Azure Monitor Agent (such as the SecurityEvent and WindowsEvent structures). This isn’t directly possible with Azure Monitor Agent and the AgentDirectToStore kind in Data Collection Rules (only Azure VMs are supported). I’m hoping that one of the Cribl products can help me with this. I looked at the Sentinel pack, and it appears to only support forwarding data to Sentinel. Is there an existing solution for mapping/normalisation/transformation (I’m not sure which term(s) are appropriate here: pipelines are so complicated!)? My environment has a lot of events across many log providers, and I’m also not sure what kind of magic that Azure Monitor Agent does to events (ie, is it just changing field names? Does it enrich the data, and if

Hi All i am migrating some sources from source →lb → syslog →  splunk to source → lb → cribl → splunk I am seeing few big events landing on plunk via syslog but the same event when i search on cribl syslog source the events are not visible at all can anybody suggest if there are any setting at cribl that can cause this drop.

Hello.  I am a total newb with API integrations and was hoping for someone to help me set up an integration between Delinea and Cribl.  I again am totally new at this and just dabbled at a couple of Cribl University courses but I need to get on the fast lane.  Is there anyone that has done this already than can walk me through this configuration.  If there is any additional details needed to clarify please let me know. So far in the Delinea platform I have followed their instructions and enabled the Syslog/CEF Logging option.  As for the entries I had to enter into the field I’m not sure if I did this right.On the Cribl side I tried setting up a Syslog Source but not sure what to enter into the field either.Hope someone can assist.Thanks!

i have corelight events which  has id.orig_h ,id.resp_h etc fields , but when i try to rename them using eval src_ip=id.orig_h… it doesnt work , the RENAME fucntion works though, I dont want to use rename because i dont want to lose original fields , i also cant use corelight pack because it is also using rename , how can i rename without losing original field???

how can i setup cribl hec source or the splunkhec destination to drop data older than 24hrs ?

Has anyone been able to Ingest Proofpoint CASB and TAP ATO (Account Takeover) logs into Stream? I do not see a collector available for these. Proofpoint sent me some API specs for their endpoint but I’m stuck.Proofpoint CASB and TAP ATOAPI GuideVersion 4.04(US)December 2023This document describes the API methods provided by the Proofpoint CASB platform for retrieving various data entities. The guide includes details on how to use the Proofpoint CASB APIs to retrieve system events and their corresponding alerts.https://proofpoint.my.salesforce.com/sfc/p/#3000000006Bs/a/Uy000000gPbV/QnJwgeOF_q4XsxQYmHUkAl_HzPSl08BxnGpQsEVVS8o

We are planning to integrate SailPoint log with Cribl and send to Cribl lake. Is there any specific Cribl doc for the same? Or anyone has done this integration in the past?