Community Discussions

This message originated from Cribl Community Slack.Click here to view the original link.Hi, changed the IP address on Cribl worker and since then the API connection to google is failing. Any clues as to where to fix this issue?Links for this message:image.png

This message originated from Cribl Community Slack.Click here to view the original link.In the webhook output, there's an 'event per request' setting. But am I correct to say there's no option to rate-limit the calls?

This message originated from Cribl Community Slack.Click here to view the original link.Hi everyone, I am collecting Logs from PaloAlto Prisma Access and I filtered some logs and I want to route them to Snowflake. There is couple of approaches i came across, is it better to write the logs to Azure Blob or GCS in this case in terms of performance ? These are the two options available for me in terms of storage. Also, can i use an api to directly send the data to snowflake warehouse? Thanks alot.

This message originated from Cribl Community Slack.Click here to view the original link.Hello, can the worker group name be changed after it is created in Cribl Cloud?

This message originated from Cribl Community Slack.Click here to view the original link.Hey all, i'm troubleshooting a sentinel destination, trying to get SecurityEvent logs into the SecurityEvent table in sentinel, I have the same destination on 4 other worker groups, and they appear to be healthy. Allowed the traffic outbound to the Azure DCR url and login on my firewall so I don't believe there's a network error: Getting this error instead: I have tried back pressure set to PQ, and it appeared to be writing into the disk and then set back to block to test around. I've already tried restarting the worker nodes and still getting the same error. I clone the destination on a different worker group again to test and it work. The volume isn't anything crazy, 20-30gb in total going through, or should be. I'm getting 401 and 400

This message originated from Cribl Community Slack.Click here to view the original link.Hello! Is there a simple way to sync lookups across worker groups that I'm not thinking of before I start diving into the API?

how to convert dump is s3 into lookup file

This message originated from Cribl Community Slack.Click here to view the original link.I need to access a rest api to grab okta logs. I see an okta pack but dont see rest api stuff. Do I need to roll ny own?

This message originated from Cribl Community Slack.Click here to view the original link.Hi everyone, I’m currently working on naming conventions for Cribl Stream and thinking through a few things. I’m wondering how, for example, setting tags on objects like sources, destinations, and routes can help with identifying related objects. I’d also like to make the best possible use of the Cribl Stream search bar that’s shown in the top right within a worker group to find objects more easily. Are there any filtering options for this, such as tag=prod? I haven’t been able to find anything on either topic in the documentation.

This message originated from Cribl Community Slack.Click here to view the original link.i have a rest feed that sends data to splunk on a daily basis. i’d like to also send that data to another destination but only once a week. I was thinking of using an output router, but is there a way to look at the day of week in the filter? Open to other suggestion on how to do this.

This message originated from Cribl Community Slack.Click here to view the original link.Hello team, I need one clarification on - Zscaler log source can be ingested in CRIBL via Amazon S3 ??

This message originated from Cribl Community Slack.Click here to view the original link.In general... should I need to import the default Cribl certificate when attempting to connect one of our AWS EC2 Linux-based Splunk Heavy Forwarders to a Splunk TCP Source hosted in a Cribl Cloud's AWS workgroup? We've confirmed that we have connectivity using netcat, but when I configure the TA in question to send data to the Cribl workgroup (using the FQDN in outputs.conf), the IP addresses fail after 3 attempts and are quarantined. I've reviewed the splunkd logs on the heavy forwarder, but they have yielded little so far.

This message originated from Cribl Community Slack.Click here to view the original link.I'll preface this by stating that I've searched the community here, and have seen some rumblings but nothing concrete. Has anyone successfully load balanced Windows Event Forwarding with an F5?

This message originated from Cribl Community Slack.Click here to view the original link.When migrating Leader Nodes from and old server to a new server (on-prem) it says to start the new Leader node, apply the license and just zip up the existing $CRIBL_HOME/groups directory and unzip it onto the new Leader node. What about for Edge Fleets?

This message originated from Cribl Community Slack.Click here to view the original link.Going through the interface of configuring an Edge node on Windows - there's a toggle for Windows Event Logs to collect in XML or JSON. JSON isn't native, so is there something behind the scenes going on with Edge that allows this? Traditionally with Steam you use the Windows pack to do the conversions

This message originated from Cribl Community Slack.Click here to view the original link.what would be the best way to report on log stats (volume, drops) for a period of a year? Should I just query an endpoint and save them to a lookup, or is there a way to do it that won’t take forever to run a report. I’d probably want avgs/peaks and also by some other criteria (routes, destinations). I know cribl vsision can do a lot of this, but my concern is that rrunning it ffor longer periods of time would take forever.

Hi All i am migrating some sources from source →lb → syslog →  splunk to source → lb → cribl → splunk I am seeing few big events landing on plunk via syslog but the same event when i search on cribl syslog source the events are not visible at all can anybody suggest if there are any setting at cribl that can cause this drop.

This message originated from Cribl Community Slack.Click here to view the original link.Hi everyone, im trying to forward logs from stream to snowflake. Has anyone tried doing this before? There is no native destination and i tried searching for workarounds but no luck so far

This message originated from Cribl Community Slack.Click here to view the original link.Hi everyone, we're trying to setup log forwarding from Cyberark Audit to cribl. Could you please help with that

This message originated from Cribl Community Slack.Click here to view the original link.Can we set up volume notifications on worker group level instead of source and destination?

This message originated from Cribl Community Slack.Click here to view the original link.I am trying to collect CATO logs using the REST Collector. The current issue is that logs retrieved via the REST API are being duplicated. When retrieving CATO logs through the REST API, I would like to avoid collecting data that was already fetched previously. Is it possible to prevent previously collected data from being ingested, for example by using timestamp information? If this is not supported as a built-in Cribl feature, could you please share any best practices to handle this?

This message originated from Cribl Community Slack.Click here to view the original link.Is there a per GB dollar cost calculator for using Lakehouse?

I’m looking to better understand how to monitor employee access to different applications via SSO. What approaches or best practices are others using?

This message originated from Cribl Community Slack.Click here to view the original link.For a File Monitor input: If I have a path say /foo/bar/ And inside of there are 4 sub folders. We'll call it A/ B/ C/ and D/ ; and I want Edge to monitor all CSV files inside /foo/bar/ except for anything in A/ Can I do this in 1 combination of "Search Path" and "Filename allowlist" ? Or do I need to create 3 specific file monitors with their direct paths?

This message originated from Cribl Community Slack.Click here to view the original link.What's the safest way to clone a currently top-level fleet to be a child fleet? On-prem deployment, and the top level fleet will be a freshly created fleet We're reshaping out fleet architecture right now and there is a lot to move I manually moved everything in lower but it was such a pain, I kept missing pieces so I'd like to do it in a more quick and safe way if possible.