I am trying to create an event breaker to add to a HEC source. Can you use __hecToken as a filter condition for the breaker or does the breaker happen before that internal field gets added?
Page 1 / 1
see diagram here for the order: https://docs.cribl.io/stream/event-processing-order#
I dont need this breaker to apply to all the data coming into this HEC source
short answer: breaker comes before the metadata fields
ok so i can use _raw.includes ?
or _raw.indexOf ?
yes
Thanks!
In my experience i was able to use __hecToken as filter condition
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.