Community Discussions

This message originated from Cribl Community Slack.Click here to view the original link.Hi, I have an on prem stream single instance and i want to install Cribl edge on several servers to collect and forward logs to this stream instance. In this case what is the right architecture here? Can this Cribl stream single instance act as a leader for the edge nodes? or they require a separate leader ? If i install edge as a single instance on each machine i wish to collect from, does it consume a lot of resources? or should i install a separate leader node and all edge nodes connect to it?

This message originated from Cribl Community Slack.Click here to view the original link.Hi :wave: Apologies if this has been solved, I haven't been able to find anything using Slack's search option. The scenario is that we have a REST endpoint that we need to call to download a report with data, but in order to download the right report we need to first query a slightly different endpoint to get the last report ID. :sigh: Cribl's REST can do OAuth -> API call just fine, but then I need to store the returned value in a global variable so that the second REST call can look it up and use it. Not pretty, it's what we have. So the question is, is there an internal call that can perform an update of a global variable, or a REST/HTTP call that I can set as the destination to do this? The CoPilot AI says I can use /lib/vars/ endpoint to do this, however I can't find that endpoint in the API docs. The second problem I've run into is that there doesn't appear to be a REST destination that I c

This message originated from Cribl Community Slack.Click here to view the original link.Hi team, I’m configuring a Cribl File Monitor source to ingest multiple files under the same path, but it looks like only the first file in the list is actually being ingested. Has anyone run into this behaviour before? Max Depth is unlimited.Links for this message:Screenshot 2026-03-06 at 12.55.56 PM.png

Want to bring your existing Cribl configs into Terraform? This new workflow lets you export your current setup and turn it into reusable, version-controlled IaC. https://docs.cribl.io/cribl-as-code/terraform-migrate-resources/Highlights:• Export existing configs directly to Terraform• Make your Cribl environments repeatable and auditablePerfect for anyone looking to standardize and scale their deployments

 Hi,I would like advise seek advise regarding the CC Admin-Edge Final Review Lab. I have a task that keeps failing to clear.  I'm unsure which step I may have missed out. Please see details and screenshots below Task 11: Add Mask function to obfuscate VISA, Mastercard, and Discover credit cards numbersTask 11 InstructionsMask Function, Masking Rules createdMatch Regex and Replace Expression for Visa, Mastercard and Discover Applied to fields _raw from captured Sample Data Masking rules for VisaMatch Regex and Replace Expression Sample input/output results from captured sample data Masking rules for MastercardMatch Regex and Replace Expression Sample input/output results from captured sample dataMasking rules for DiscoverMatch Regex and Replace Expression Sample input/output results from captured sample data 

I need to open a support case

unable to find unified_palo_alto.log in the dropdown present in Datagen Source, hence unable to complete the lab, I don't have chance of manually uploading of the log file to the datagen. Can some one help on resolving the issue

How can I customize the port HTTP (or raw HTTP) source listens on in Cribl.Cloud?10080 is the default, and https://docs.cribl.io/stream/ports/#cloud-ports seems to indicate that I can only use 20000-20010 for additional sources?I am trying to get a webhook configuration working for DocuSign and it looks like Docusign only supports 443, 1443, 2443, etc (https://support.docusign.com/s/document-item?language=en_US&bundleId=vob1727899215236&topicId=zjq1665170940873.html&_LANG=enus).Seems like this won't be the only challenge I’ll need to overcome based on the authentication methods DocuSign and Cribl support, but it's the first obstacle i see.I tried enabling an HTTP source to listen on 1443, but when testing with https://www.geocerts.com/ssl-checker it's telling me that this port isn't responding (while 10080 is), so it appears something on Cribl side….

I’m having an issue with the setup of SSO, using Entra.  99% of it is up and working, and users are able to get in. My issue with Organization level permissions. I want the users of a particular group to have Owner permissions, at the Organization level. Per documentation, that would be set in Entra. As best I can tell, I have gone through all of the related documentation and adjusted my settings to match, but I can’t get it to work. When we log in with an SSO account, the users do have Owner rights from the Workspace down (as that is set in the Teams page), but not at the Org level. I’m sure it’s an easy setting that I’m just missing, and I’m hoping someone could point me in the right direction. 

I have some JSON that I've extracted via a parser function, manipulated/renamed some fields, and now I have an element of an array that is null. Can anyone point me in the right direction on how I might clean up the null? For reference, my end destination is a GCP storage bucket, so I'm just writing the data out as a raw JSON string.It seems I can serialize the fields back into _raw (which cleans up the null array element), and then extract again, and then remove _raw, but that feels like it is potentially inefficient, 3 step process. Is there a better way to accomplish this?

I want a method to know (within Splunk) that edge is working properly.

This message originated from Cribl Community Slack.Click here to view the original link.Hi All. I am creating a pipeline at worker group level (I have 2 worker nodes in the group) , in which I want to amend worker node name in _raw file. I tried using __cribl_worker field but I am getting value as undefined. Can someone help in getting the worker node name to amend to my _raw field

This message originated from Cribl Community Slack.Click here to view the original link.Hello, I have configured a rest collector to fetch Fastly WAF requests. the collector is working and getting the correct requests. due to limitations in the API I have to fetch 1000 requests and then utilize a suppression in the pipeline to deduplicate the requests that have already been fetched in prior runs. The problem I am running into is that the collector job is running on both workers in my WG. I tried to disable the source on one of the workers manually but the rest sources are not present in the individual worker UI. does anyone have any recommendations for configuring this so that this collection only runs on one worker? do I need to run this in a worker group with only a single worker?

This message originated from Cribl Community Slack.Click here to view the original link.Can we connect cribl Search with Azure cold storage? And be able to pull data if organized in proper monthly datasets?

This message originated from Cribl Community Slack.Click here to view the original link.Hello All. I am deploying Cribl for one of my customer where we need to collect data from a syslog server and I have 2 Cribl worker nodes to collect the data. Customer is having some concerns in getting the load balancer to distribute the traffic to my 2 worker nodes. What are the other options to send the traffic from Syslog server to 2 Cribl worker nodes? Is there any Cribl internal LB or any other recommended options?

Notes: we use a cribl.cloud leader so all of our edge nodes are managed-edge. We cannot make api requests directly to edge nodes, we have to make api requests of the leader.My org has deployed a decent number of edge nodes, but did not apply tags or a worker group when doing so. My goal is to use a patch request on the /master/workers/{id} endpoint to update the nodes.So far I have created a python script makes a get request on the /master/workers endpoint to get all config data from these nodes and modify the config with the new tag.Has anyone successfully used a patch request to update the endpoints on Cribl?

This message originated from Cribl Community Slack.Click here to view the original link.Do people typically spin up Leader nodes inside of a DMZ to control Edge clients in there?

This message originated from Cribl Community Slack.Click here to view the original link.Hi! Im about to migrate some data from an old Splunk solution over to a new one. Not all the data. As I have nightmares about multi-line events being messed up using rsync over ssh and oneshot-commands on Splunk I'm thinking about trying to use Cribl to perform this stunt. Has anyone performed this stunt before and can point me in the right direction? Right now im thinking worker and leader cribl on an old search head, splunk ingest into cribl and output to HEC on the new solution. Any help, experience or pointers would be highly appreciated.

This message originated from Cribl Community Slack.Click here to view the original link.Hello. Are there documented DR solutions that don't involve restoring from Git? unfortunately, I can't use our external git with a personal access token from the environment our Cribl stream is in.

This message originated from Cribl Community Slack.Click here to view the original link.Separate question. Is there a way to filter for fields at this level instead of inside a pipeline? Ie. we want to have events from "logGroup" X go to a certain route.Links for this message:image.png

This message originated from Cribl Community Slack.Click here to view the original link.Hey all - Working on configuring our Zscaler Cloud NSS feeds to send over to our cribl.cloud worker groups. Using the zscaler_nss Source but when i enable TLS - the connection breaks (not understanding why). Just need a sanity check that my configuration is proper. The cert is something we established for this use. Maybe something is off on my zscaler side?

This message originated from Cribl Community Slack.Click here to view the original link.does cribl integrate with parseable? Anyone ever send data to it?

This message originated from Cribl Community Slack.Click here to view the original link.For System_State data sets - Can we add a polling interval per Collector/Metric? Or do we have to add new Sources and group the Collectors/Metrics by polling interval. Example - I dont need host info every 5 minutes. Listening Ports on the other hand....might be good every 5 minutes.

This message originated from Cribl Community Slack.Click here to view the original link.Happy Monday Everyone! Has anyone pulled Jira + Confluence audit logs into Cribl before? We initially tried the admin API while exploring, but we’re really after product-level audit logs. Working through OAuth now with the ex/jira and ex/confluence endpoints. Docs are a bit thin on required scopes + query params. If anyone has a working config or notes, would appreciate it. Thanks!

This message originated from Cribl Community Slack.Click here to view the original link.Is Leader - Worker Node Communication required for doing Pull Sources? ie - If my Leader node goes down for an extended period of time, and I have Workers that all have Splunk Search Sources on a cron job....Is that connection supposed to break?