Products

Best way to extract fields from this data where the the field and value are separated by a : and the group is delimited by a , ?{"action": "update", "body": "New token value generated", "name": "user1", "timestamp": "2023-08-24T19:33:22+00:00", "userID": "1"}

I'm trying to send data to Chronicle using a custom log type but it is not working and the error messages are not very helpful.  The logs are JSON events.   I know the connector works because if I change the default log type to "Honeyd" from custom, the events are successfully sent to Chronicle.   Anyone have any success sending custom log types to Chronicle?

In the “File Monitor” Allowlist, can I use REGEX expressions like \d{2} or just ! & *?

Currently I'm ingesting Windows Classic and Windows Sysmon XML using Splunk UF, and apply corresponding packs to convert to JSON and some custom modifications. Until few days everything worked, but now we are receiving empty or broken messages.I'm running Splunk UFs 9.0.4/Splunk Cloud 9.0.2209.4 and Cribl 4.2.2.Config on UFs, as recommended in the docs. On Cribl Worker s2s is v4.[tcpout] disabled = false defaultGroup = cribl-worker-1[tcpout:cribl-worker-1] sendCookedData = true server=x.x.x.x:9997I noticed that Cribl defaults to fallback event breaker. No error/warnings in Cribl logs.

I can't get any of the data destinations to work. I have tried this with ElasticSearch, AWS S3 and Splunk. The message I get when I try a Test payload is "Error: 400-Bad Request Output … does not exist!"The logs don't have any information either.I'm running stream in a docker container. I got the same results on Cribl cloud instance as well.

If all owner/admin access is lost to a Cribl Cloud org/tenant that is currently setup to use SSO then how does anyone re-gain admin access?

We use Cribl Cloud, but would like to use our own sub-domain as a target so that we can re-route data as well as manage our own TLS certificates.Can I do this with Cribl Cloud?

Afternoon (at least on my side).Need some help on my side. I've got a Splunk HF cluster sending events to my Cribl cluster. The HFs are experiencing this issue every now and then:08-16-2023 09:29:32.056 +0200 WARN  TcpOutputProc [12084 indexerPipe_1] - The TCP output processor has paused the data flow. Forwarding to host_dest=xx.xx.xx.xx inside output group cribl_out_group from host_src=xxxxxx has been blocked for blocked_seconds=10. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.It's not happening too often, so I guess the questions are:Should I be worried?If yes, where do I start looking for what might be causing the issue on the Cribl side?

Hi Experts,i am doing some sizing calculation using  https://criblsizing.info/ what is the per node -2 referring to ?

Can Cribl Stream read AWS S3 tags? I know there are multiple places where you can add tags to parts of the stream, such as in the Source or in a Pipeline, but I want my stream to be able to read the tags that are assigned via S3 in order to filter them. If that's not possible, would I be able to call a Lambda function and use that to manage the tags instead?

We don't want our Cloud org to be removed, can that action be undone? We don't want to lose our configurations or any of the data being processed.

Hello, I have my Cribl setup in GitOps mode (https://docs.cribl.io/stream/gitops/). I also have it setup to auth against Azure AD (https://docs.cribl.io/stream/usecase-azure-ad/). Further, I have defined several Azure AD groups including one that I have assigned the GitOps role to (https://docs.cribl.io/stream/gitops/#user-role). When I attempt to follow the instructions (https://docs.cribl.io/stream/gitops/) about obtaining a Bearer token and use an account that is only in Azure AD, I always get “Invalid user or password”. However, if I use an account that exists internal to Cribl, it will succeed. I want to setup GitHub workflows to automate the sync once I complete a pull request. I realize I could create an internal user in Cribl and assign the GitOps role to it and just use that. But, I think I should be able to do this with an Azure AD user too. Has anyone run into this before and found a resolution? Thanks!

I’m really having a hard time with the GitOps sync. I’ve repeatedly followed the steps to generate a bearer token and am always getting “Forbidden” when I attempt to make the production leader sync. This has worked in the past.mkdir -p ~/.authcurl http://<Leader-URL-or-IP>:9000/api/v1/auth/login -H 'Content-Type: application/json' -d "{\"username\":\"<username>\",\"password\":\"<password>\"}" 2>/dev/null | jq -r .token > ~/.auth/tokenexport JWT_AUTH_TOKEN=`cat ~/.auth/token`export AUTH_HEAD="Authorization:Bearer `cat ~/.auth/token`"curl -X POST "http://<Leader-URL-or-IP>:9000/api/v1/version/sync" -H "accept: application/json" -H "${AUTH_HEAD}" -d "ref=prod&deploy=true"Any suggestions?

For a JSON log using the default Cribl JSON event breaker, do you know what the name is of the top most object?  For instance, _raw is an object, but what is the name of the object containing _raw?

In the monitoring section, how is Free Memory calculated per worker?

Hello,Currently testing the process of sending logs to the Chronicle destination.How do i retrieve the data from the "_raw" field.I came across a blog post that seemed to be relevant to my use case, where it mentioned using the log text field as "_raw."https://cribl.io/blog/google-chronicle-ingestion/However, despite following the instructions, I have not been successful in getting it to work.Appreciate any help.

The host name was showing up properly in the old version 4.1.0, but now the host shows up as the ip address of the first interface on the box.  This is bare metal

Greetings, how do I delete an edge node from the UI?

Hello, I’m trying to creation a S3 destination and trying to figure out how I can add index value to the file name.  How do I pass the index field from the source to the S3 destination file name?

hello, i’m trying to create a sql server db connection, but got a self signed certificate error. Is there an option that I can use to bypass this issue?  I’m using the following format from the documentation: Server=localhost; Database=test;User Id=SA; Password=Testing123![; Option=Value]Original Author: Tae HaLink: https://cribl-community.slack.com/archives/CPYBPK65V/p1690207040810899?thread_ts=1690207040.810899&cid=CPYBPK65V

Does anyone have a splunk universal forwarder config they typically use for forwarding?Original Question: https://cribl-community.slack.com/archives/CPYBPK65V/p1690293855973699Original Author: Matt

Dear Cribl Community,Is there a way to paginate the DISCOVER (HTTP Request) stage results when using the REST API collector. The COLLECT stage has pagination parameters, but I can't figure out how to paginate discover results. Thanks!Regards,Justas

When a worker nodes fail (down for whatever reason), what happens to the data that the specific worker had received for processing ( like, in-memory , PQ data ) ? Worker nodes receive data in distributed manner for processing , how does it ensures that data delivered to any third party destination (e.g. splunk ) is the chronological order of the events ?e.g. in case of hardware issues / slowness if a worker node is experiencing lag in processing data ., can it be expected that data send to any output destination has latency ?

Is there a configurable setting within Stream to alert or notify when a particular source stops sending events for a given period of time? Thanks

HiI have DB Input. Adhoc it is working fine, but not scheduled. I can see different in the logs in the fields filtered.But I do not see an filter settings. I do not see any filter in the scheduler.Original Message: https://cribl-community.slack.com/archives/CPYBPK65V/p1688712420207369