Question

Can you use __hecToken as a filter condition for the breaker?

Forum|Forum|8 months ago
March 11, 2025
8 replies
2 views

Shawn Cannon
Known Participant

I am trying to create an event breaker to add to a HEC source. Can you use __hecToken as a filter condition for the breaker or does the breaker happen before that internal field gets added?

B

Brandon McCombs
Employee
Forum|Forum|8 months ago
March 11, 2025

see diagram here for the order: https://docs.cribl.io/stream/event-processing-order#

Like

Shawn Cannon
Author
Known Participant
Forum|Forum|8 months ago
March 11, 2025

I dont need this breaker to apply to all the data coming into this HEC source

Like

B

Brandon McCombs
Employee
Forum|Forum|8 months ago
March 11, 2025

short answer: breaker comes before the metadata fields

Like

Shawn Cannon
Author
Known Participant
Forum|Forum|8 months ago
March 11, 2025

ok so i can use _raw.includes ?

Like

Shawn Cannon
Author
Known Participant
Forum|Forum|8 months ago
March 11, 2025

or _raw.indexOf ?

Like

B

Brandon McCombs
Employee
Forum|Forum|8 months ago
March 11, 2025

yes

Like

Shawn Cannon
Author
Known Participant
Forum|Forum|8 months ago
March 11, 2025

Thanks!

Like

S

SonOfBuzi
Inspiring
Forum|Forum|8 months ago
March 11, 2025

In my experience i was able to use __hecToken as filter condition

Like

Sign up

Using your Cribl.Cloud account

Login to the community

Using your Cribl.Cloud account

Scanning file for viruses.

This file cannot be downloaded