Hey,Is there any workaround to send uncooked data from Splunk HF to Cribl? (dest::Splunktcp)The issue is that the EB(Cribl) is not taking any effect (I'd read before it will be skipped by design limitations).tried to set sendCookedData = false but the data flow had stopped eventually, then added negotiateProtocolLevel = 0 but it didn't help, other trial was to use dest::tcp source but ingestion has stopped as well. Any ideas how we can overcome this scenario.
Page 1 / 1
Cribl can totally process data that has already been processed by a HF before
The other way wouldn't work (without ugly hacks)
Then how can it re-process them although it skips the EB in Cribl source
Oh, that's supposed to mean event breaker
So, what issue do you have? Are your events improperly broken on the HF, and how?
Is one event containing multiple events? That could be fixed. Is one event only containing parts of one event? That's something that can't really be fixed later
Yeah, that's something you need to fix on the HF (or bypass it ")
The latter unfortunately, thats why I'm not using the event breaker function in the pipeline
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.