Question

Can you use __hecToken as a filter condition for the breaker?

Forum|Forum|1 year ago
March 11, 2025
8 replies
25 views

+1

Shawn Cannon
Known Participant

I am trying to create an event breaker to add to a HEC source. Can you use __hecToken as a filter condition for the breaker or does the breaker happen before that internal field gets added?

B

Brandon McCombs
Employee
Forum|Forum|1 year ago
March 11, 2025

see diagram here for the order: https://docs.cribl.io/stream/event-processing-order#

Like

+1

Shawn Cannon
Author
Known Participant
Forum|Forum|1 year ago
March 11, 2025

I dont need this breaker to apply to all the data coming into this HEC source

Like

B

Brandon McCombs
Employee
Forum|Forum|1 year ago
March 11, 2025

short answer: breaker comes before the metadata fields

Like

+1

Shawn Cannon
Author
Known Participant
Forum|Forum|1 year ago
March 11, 2025

ok so i can use _raw.includes ?

Like

+1

Shawn Cannon
Author
Known Participant
Forum|Forum|1 year ago
March 11, 2025

or _raw.indexOf ?

Like

B

Brandon McCombs
Employee
Forum|Forum|1 year ago
March 11, 2025

yes

Like

+1

Shawn Cannon
Author
Known Participant
Forum|Forum|1 year ago
March 11, 2025

Thanks!

Like

S

SonOfBuzi
Inspiring
Forum|Forum|1 year ago
March 11, 2025

In my experience i was able to use __hecToken as filter condition

Like

Sign up

Using your Cribl Curious or University Account

Login to the community

Using your Cribl Curious or University Account

Scanning file for viruses.

This file cannot be downloaded