Community Discussions

I am getting the following error in stream from REST Collection. message:Validation error (WrongType@[events]) : argument 'between.startTime' with value 'StringValue{value='`${C.Time.strftime(new Date((earliest * 1000.toISOString()}`'}' is not a valid 'DateTime'Here is the schema for GraphSQL and Collect POST body i am using. What am i doing wrongly? can any help with setting the correct time value.GraphSQLbetween: { startTime: "`${C.Time.strftime(new Date((earliest * 1000.toISOString()}`" endTime: "`${C.Time.strftime(new Date((latest * 1000.toISOString()}`"}Collect POST bodybetween: { startTime: \"`${C.Time.strftime(new Date((earliest * 1000.toISOString()}`\" endTime: \"`${C.Time.strftime(new Date((latest * 1000.toISOString()}`\" }

Hi, i'd like know what is recommended method to save Zabbix event data (source) to mysql (destination). I understand that mysql is not typical and preffered destination but thats my use case. Thank you

we are removing some fields using Eval function but the bytes_in and bytes_out are still the same. But, in the pipeline statistics we can see the bytes_out is reduced but it is not reflecting in the Monitoring → Flows.

We are wanting to use Cribl to repopulate cloud trail logs from S3 into Splunk on-demand for review/audit/analysis purposes. Ideally, we would be able to request from within Splunk, but we could also query within Cribl to pull the data if necessary. Are there any best practices or use-cases that you can provide?

I am getting data into Cribl and it is by default breaking on each line (also when there is no timestamp). So, i have added manual event breaking based on timestamp. But it still the same behavior. Is there a way to disable line breaking on each line?

I am trying to send data to Cribl stream→ TCP Json source using curl command, and i can see the data is coming to Cribl worker node on the given port ( verified with tcpdump) but the same data is not being captured in the TCP JSON source. Any settings i am missing here?

Hi I'm in the process of setting up Cribl to send data from a syslog source ( AWS hosted Cisco FTDs) to Amazon S3 .Although the firewall rules are locked down to source and destination , I'm concerned about transmitting unprotected data over the Internet .Can you please advise on the best way to protect the traffic ?Thanks

How does the 'teleporting' function work on a technical level? Based on the documentation on ports (https://docs.cribl.io/stream/ports/), it seems no inbound ports need to be opened on worker or edge nodes for the feature to work. The leader node handles teleport functionality via port 4200. When teleporting to a node, does it simply stream the UI data to the leader, essentially mirroring the node's interface rather than establishing a direct session? I couldn’t find detailed documentation on this, and tools like TCP dump/Wireshark or internal logs haven’t provided further insights.Thank you :) https://docs.cribl.io/stream/ports/

Akamai has the SIEM API which allows to capture security events generated on the Akamai platform. We have been getting these events to Splunk via Splunk Add-on earlier https://splunkbase.splunk.com/app/4310/ and decided to try Cribl REST collector. After giving collect URL's & required credentials in collector's config, I can't see the events from Akamai and getting 400 error. not sure what's getting missed. "type": "https://problems./-/pep-authn/request-error", "title": "Bad request", "status": 400, "detail": "Authorization header missing",

I want to report on logs ingested with Cribl in the Splunk environment. The logs will remain stored on the Cribl side, but the reporting will be done in Splunk. How can I achieve this?The logs are NOT forwarded to Splunk.thank you in advance for your answers

What is the difference between cribl and Azure log analytics workspace...What is the benefit when I use instead of Azure LAW

HiI have 2 cribl workers (cribl worker 1 and cribl worker 2 )managed by the same manager; cribl worker 1 goes down every now and then and has to be started manually. Status checks return the following: 'Cribl is stopped, but pid file exists'; can any of you please help me troubleshoot or point me in the right direction

I have tried Event Breaker on this type of data but it didn't work, it can't separate the record into individual events note: this is the live data streamed from Azure event hub and this is the event breaker configuration but if I use the same pipeline or the event breaker at the knowledge with the data in that shape it works fine and splits every record into an event I tried to use unroll but also didn't work so any suggestion on how can i solve this issue?thanks,

I been trying to find some formal documentation on bringing Proofpoint logs into Cribl steam and wonder if anyone had some experience or documentation they could share. At the time of this writing, there's not a cribl available for proofpoint logging.

We are running a PowerShell scrip to collect AD Computers using the Get-ADComputer cmdlet and we are receiving this type of response in Cribl which is not what we are expecting to receive:{"time":"2024-09-20T14:40:32.097Z","cid":"w0","channel":"input:test-retrieve_ad_computers","level":"error","message":"error from child process","data":{"0":65,"1":116,"2":32,"3":108,"4":105,"5":110,"6":101,"7":58,"8":49,"9":32,"10":99,"11":104,"12":97,"13":114,"14":58,"15":49,"16":53,"17":54,"18":13,"19":10}}

TL;DR Use VSCode to test out javascript "code" function locally before attempting it in Cribl Stream/Edge.I wanted to first give a shout out to @Jon Rust for pointing me in this direction. Paying it forward to other Cribl users who would like to give the code function a shot.I am using the example from the following pagehttps://docs.cribl.io/stream/usecase-code-function/#building-a-new-arrayI had a pipeline with about 40 functions which was used to take a bunch of metrics together and publish it as a multi-metric into splunk. I wrote this with David Maislins help about 3-4 years ago, and it was getting to be a bear to maintain and upate. The code function was the perfect candidate for this. I took 36 functions and consolidated into 1 code function which was much easier to debug. Please note I have NO experience with JS and this is just something I came up over 2 days

I have a need to send json formatted data to a beats (lumberjack) input. I am new to cribl and wondered if there was a pre-configured output that could be used to send lumberjack protocol based json to a receiver?My current SIEM solution has a json parser, but is using a Beats receiver as the only way to receive it.Thanks,

Hello, I would like to ask one thing: is it possible to use some database (SQL etc.) as a data source for lookup? One of our customers has a database that contains data that he would like to use to enrich events processed on Cribl Stream. The idea is that he would read the data from the database into Cribl Stream using a suitable connector, save it as a CSV file and then use that as the source for a lookup to use in the pipeline. Since I don't have experience with something like this yet, I would like to ask: Is there anyone who has experience with this? Is this a feasible way? And if so, is it suitable or are there better ones? What is there to be careful about performance, load on Cribl and the database, etc.? (Enrichment would involve about 200 events per second, the database is in the lower tens of thousands of rows, and the data in the lookup should be refreshed once per hour.) Any experience, ideas or recommendations would be greatly appreci

Hey All,Trying to setup TCP source to onboard our vendor saas logs in to our onprem splunk. With Cribl can we do IP whitelisting for the TCP source and allow only certain IPs instead of opening it up to public. My setup is onprem so want to see if there are possibilities available in the cribl side.

Hi,I'm trying to setup a Splunk HEC within Cribl Stream, and I'm encountering the error "malformed HEC event." I've encountered that error when setting up HECs in Splunk, and to correct the problem I have to go to Source type > Select Source Type > Structured > _json when editing the HEC's settings. I've been looking and reading search results, but so far I haven't found the equivalent setting in Cribl Stream. Where can I find that setting for the HEC please?

I’m attempting to leverage the REST collector to collect logs from Duo. The REST API requires authentication to be in the form of an HMAC-SHA1 signature in hex ASCII format. Instructions can be found here: Duo Admin API | Duo Security.At the very least, I’m curious if this is possible, and if so, how would one go about setting this up? Thanks!

I'm new to Cribl, so at this point we have single-instance Cribl Stream installed on premise. We just got a new SE, and he stated I need to move the Leader Node to the cloud as it's easier for him to troubleshoot. I have a cloud account created.I presume this is the distributed deployment, but the menus described in the documentation don't seem to align with what I see in the UI. https://docs.cribl.io/stream/deploy-distributed/ I'm not confident I have the correct software. Can Stream be converted into a worker node? Do I need the distributed deployment? Can anyone point me to a video that describes the process? I've looked on YouTube, but I've not had any luck.

Is there a way to move a worker to another group via GUI? And when not, why not?!

We are planning to enable gitops workflow for production and from the docs we understood that the production environment will be “read only” if the gitops workflow is set to “push”. What if there is outage with “git” and we can’t do the release? What is the alternative to push the code without git?

How I can Parse Array of array in cribl stream. Each array element contains multiple strings.