Community Discussions

This message originated from Cribl Community Slack.Click here to view the original link.Happy Monday Everyone! Has anyone pulled Jira + Confluence audit logs into Cribl before? We initially tried the admin API while exploring, but we’re really after product-level audit logs. Working through OAuth now with the ex/jira and ex/confluence endpoints. Docs are a bit thin on required scopes + query params. If anyone has a working config or notes, would appreciate it. Thanks!

This message originated from Cribl Community Slack.Click here to view the original link.Is Leader - Worker Node Communication required for doing Pull Sources? ie - If my Leader node goes down for an extended period of time, and I have Workers that all have Splunk Search Sources on a cron job....Is that connection supposed to break?

This message originated from Cribl Community Slack.Click here to view the original link.Hi community, is it possible to use an S3 bucket for PQing instead of the workers filesystem?

This message originated from Cribl Community Slack.Click here to view the original link.Hi all - we've encountered a strange issue whereby pipeline(s), contained in a pack which we've authored, do not appear (as a pack or pipeline) in the WG's routes table in the route entry's pipeline/pack selection as long as the pack contains the Cribl HTTP destination. When we remove the Cribl HTTP dest from the pack, the pack becomes visible as a selectable option in the route's pipeline drop-down. Related support case is 00030881. Any ideas why this might be? Anyone else encountered this behavior?

This message originated from Cribl Community Slack.Click here to view the original link.Dropping events - I would like to match events Event_ExternalApiEvent and drop them only if the event Event_EppDetectionSummaryEvent is not true. Has anyone the best idea for this?Links for this message:image.pngimage.png

This message originated from Cribl Community Slack.Click here to view the original link.Does the Ingestion lag (minutes) setting in Advanced Settings of the Office 365 Activity source function the same as the standard collector event time filtering - filtering individual events based on the configured time range for the collection job? Meaning, does this setting target the actual event timestamps within each content blob, or does this setting apply to the actual content blob contentCreated returned from each subscription? Microsoft's documentation reads as if time filtering on the content blobs uses the contentCreated which should be the time the content became available for retrieval, but the events within each content blob may be delayed by up to a few days in some cases.

This message originated from Cribl Community Slack.Click here to view the original link.i want to automatically update the geoIP database stored in knowledge, does cribl have api call for updating it?

This message originated from Cribl Community Slack.Click here to view the original link.I am trying to implement state tracking for a rest collector. How do I reference the state in the collect parameters trying to assign the parameter 'newerThan' an integer with the javascript prevState.lastActivityId == null ? 7369027 : prevState.lastActivityId When I run a preview it just passes url encoded of my javascript, but the expression should set to 7369027

Good morning. I am new user, and I am going through the DCR section of the Prepare the Azure Workspace walkthrough.  I have found the jsons here, however nowhere in any of the instructions does it say which DCR json to load for this setup process, and none are named in such a way to obviously be the one I’m looking for. Anyone has any advice on this? Or am I just completely reading this incorrectly?

This message originated from Cribl Community Slack.Click here to view the original link.Darktrace - Has anyone managed to parse the JSON syslog and convert directly to JSON? _raw: <165>Feb 16 14:56:36 darktrace.temp.com darktrace {"model":{"description":"Test model used for testing alerting configuration.","created":{"by":"System"},"edited":{"by":"Nobody"},"name":"Unrestricted Test Model","priority":5,"pid":0,"uuid":"659ec8ad-80e8-4182-a7b6-28e0d08260e5","category":"Informational","compliance":false},"device":{"ip":"0.1.2.3","hostname":"test-device.example.com","macaddress":"00:11:22:33:44:55","vendor":"Test Vendor","label":"

This message originated from Cribl Community Slack.Click here to view the original link.What's the upper limit you guys would suggest for amount of time to keep disconnected nodes? We have about 150 disconnects from pods rolling a day, is there a lot of stored data per node?

This message originated from Cribl Community Slack.Click here to view the original link.any hints on how much time it takes for the Lake data/consumption to appear in FinOps center? same question for Lake monitoring, we are pouring some data for like 12 hours and there is nothing in FinOps and also monitoring is empty

This message originated from Cribl Community Slack.Click here to view the original link.Hello Team, If i had setup like that below 30 days, splunk, then move to AWS can cribl read my aws data via cribl search, without the need for additional parsing etc etc.

This message originated from Cribl Community Slack.Click here to view the original link.Hi, is it possible to capture the originating IP for syslog sources? My customer has a specific requirement.

This message originated from Cribl Community Slack.Click here to view the original link.In cribl, how do i convert a json event into splunk metrics to be sent to the indexer as s2s? { average: 885463040 count: 2 maximum: 908546048 metricName: AverageMemoryWorkingSet minimum: 862380032 region: Central US time: 2026-02-11T08:51:00.0000000Z timeGrain: PT1M total: 1770926080 }

This message originated from Cribl Community Slack.Click here to view the original link.I am planning to create a custom table in Microsoft Sentinel for Zscaler Deception logs using DCR/DCE. The intended table schema contains 124 SOC‑relevant fields. However, the source logs are event‑driven, and at present only 59 fields are being populated. These 59 fields are already parsed, normalized, and enriched in Cribl before being sent to the Sentinel destination. If I define a custom table schema with all 124 fields, will the incoming logs from Cribl correctly map the available 59 fields to their respective columns, while the remaining fields stay empty/null when querying data in Sentinel? Additionally, can someone guide me on which parsing and transformation funct

This message originated from Cribl Community Slack.Click here to view the original link.does edge Linux support .xz compressed file collection?

I have a need to send json formatted data to a beats (lumberjack) input. I am new to cribl and wondered if there was a pre-configured output that could be used to send lumberjack protocol based json to a receiver?My current SIEM solution has a json parser, but is using a Beats receiver as the only way to receive it.Thanks,

This message originated from Cribl Community Slack.Click here to view the original link.Has anyone got any strategies for managing alert suppression? Looking at using search as a complete search & alerting platform but worried about alert management

This message originated from Cribl Community Slack.Click here to view the original link.Quick question - are we able to host the install-edge.sh script ourselves in our own s3 bucket?

This message originated from Cribl Community Slack.Click here to view the original link.hello, i tried searching how to change a Cribl project name, but was not able to figure out a way to do this! so is there any workaround to do this, as there are are multiple projects need to be renamed and each project has bunch of subscriptions/pipelines/destinations, so re-doing the work again in a new project isn't the best option here. cribl version 4.15.1. your support is appreciated

This message originated from Cribl Community Slack.Click here to view the original link.I have a dict that contains base64-encoded fields. How can I decode them all without knowing their names?

This message originated from Cribl Community Slack.Click here to view the original link.If I have a data with some File Paths in it. Example A:\Program Files\SplunkUniversalForwarder B:\Program Files\SplunkUniversalForwarder C:\Program Files\SplunkUniversalForwarder D:\Program Files\SplunkUniversalForwarder And I want to Drop events with SplunkUniversalForwarder in the value.... How do I do that in 1 C.Lookup function? Right now, I have C.Lookup('myLookup.csv').match(fieldName) where fieldName is the field where both my values above exist. But I have to add each one of those full paths into my Lookup file. I'm trying to avoid putting the entire file path into my CSV file since it changes so often. Would rather just pu

This message originated from Cribl Community Slack.Click here to view the original link.Hey all, just want to make sure i'm not missing something here but is there a way to get a notification that a Cribl Edge node has gone offline?

This message originated from Cribl Community Slack.Click here to view the original link.trying to drop a bunch of netbios noise from linux syslog and while my function PROTO === "UDP" && (DST.endsWith(".255") || DPT === 137) works, it doesn't account for non /24 subnets, any advice?