I have a problem with some of the data coming into Cribl from Splunk

No need to cross post to that other Slack community group with regard to Cribl. We got your back!

HFs do event breaking before it reaches Cribl. If ur going to keep the HF in front, it will need props updates to properly break

Once in Cribl, we can break further, but can't stitch back together

What he said!!

Ok. I can easily do event breaking on the Splunk side.

So the UFs we don't have to do any processing, but the HFs sending to Cribl will have to do at least basic processing on the events in order to process the events correctly. Right?

Any reason why the UFs can't just send to Cribl directly?

Yeah, afaik you can't turn off EB functions on HFs

I'd argue we make EB far easier to manage:)

I'd be happy to jump on a zoom and give a demo/lesson on EBs in Cribl

Most yes, but things like the SHs and IDXs were going to be sending their data to Cribl for additional processing of sorts. Now that may be unnecessary.

We do have some data that is coming from old HFs that we cannot change the source back to UFs.

Let's get some time on the calendar to talk it through. I'll send you a calendly dealio soon (ooo right now)

Totally possible. Eg, we can unroll events more than done on first pass in HF. But we can't stitch back together

:skin-tone-2:

<@ULBGHDPNY&gt; I'm curious regarding this thread, because when i turn off sendCookedData from UF the data doesn't seem to make it to Cribl. I use Splunk TCP push and in Cribl documentation it also says to set sendCookedData=true. I would like to receive the data uncooked to forward it to Splunk & Qradar.