Hi community,I've a requirement of spliting 2 types of events from single syslog stream based on event data fields like "appname=='CEF'". I tried the following filter in data routes and was hoping it will work: __inputId.startsWith('syslog:in_syslog:') && appname=='CEF'But unfortunately it's not working. I already went through the Cribl documentation(https://sandbox.cribl.io/coursedocs/expressions/docs/filters) but I'm not sure where exactly the filter condition fails to filter the events.
Page 1 / 1
Hi Manish,does the event contain a field appname=CEF already as a field or is it within the _raw field? If the latter one you will need to either split the field out in a preprocessing pipeline or use another filter condition like _raw.includes('CEF')Could you share an anomized sample event here?
Hi Oliver, This seems to be fixed now. Actually I didn't notice that the syslog stream was consumed completely in a prior data route which was set as final. So there was no data forwarded to the subsequent data route.
glad you found the problem.
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.