Does anyone knows, if Cribl can handle the Splunks functionality of assigning default fields dynamicaly withe the folowing line in the logs: `SPLUNK <metadata field>=<string> <metadata field>=<string> ...` https://docs.splunk.com/Documentation/Splunk/latest/Data/Assignmetadatatoeventsdynamically. If not I would go with a 2 step linebreaking process
Question
Can Cribl handle the Splunks functionality of assigning default fields dynamicaly?
Eval function setting top level fields? Is that what you mean?
Its a different way to lable data with splunks metafields which should be processed on the first full splunk instance or in this case cribl. If I understand the process correctly First comes the Header ,the 1 to n events, which are then labeld with the headers metadata fieldshttps://helgeklein.com/blog/splunk-scripted-input-secrects/
Because we just discussed this <@U01C35EMQ01> - it's HEADER_MODE in props.conf and e.g. UberAgent uses this
If events show up with that format Cribl could pull those fields out with Regex, Eval or Parser, cleanup the event and pass to Splunk cooked and ready to go.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.