The Cribl Packs Dispensary – A Place to Share and Care

Building Packs is good. Sharing Packs is better! The Cribl Pack Dispensary is the go-to place to find, install and share Cribl Packs. What are Packs? A Cribl Pack is a collection of pre-built routes, pipelines, data samples, and knowledge objects. Packs enable sharing of best-practice configurations that route, shape, reduce and enrich a given log source–Palo Alto Networks logs for example. Packs can be used with Cribl Stream and Cribl Edge.

How do you create a Pack? Good question: Here’s a How-To blog and video on Pack creation.

For this blog, we’ll show you how to navigate the Pack Dispensary and how to add a pack to your Cribl deployment.

Locating the right Pack is key. The Search feature makes this easy. Add “Palo Alto Networks” to the Search field , and you’ll find results for the Palo Alto Networks Pack.

Search for “Microsoft” returns several Packs and highlights a key feature – both Cribl-authored and community-authored Packs are available in the Dispensary.

A teal title banner and Cribl logo designate the Cribl-authored Packs as you see on Microsoft Windows Events Pack above. Packs authored by our illustrious community members sport a gray banner.

Additional Navigation Aids

The Dispensary was built to support thousands of Packs. Filters are key to narrowing the search. At the top of the left-hand navigation bar, the “Built by Cribl” toggle identifies Cribl-authored Packs. Filters and the search criteria are combined together to further narrow your search.

Packs can include Pipelines that contain Custom Functions. Custom Functions can run JavaScript. The “Exclude custom functions” toggle filters out Packs using Custom Functions.

Some organization security policies require that “custom active code” not be used. This toggle enables organizations to easily identify those Packs they can and cannot deploy.

The Use Case filter highlights Packs excelling in each of these areas. “Enrichment” for example, showcases the CrowdStrike Pack.

This Pack includes an option to use Redis for the aggregation and enrichment of the ComputerName and other asset data via a Lookup. The Pack README provides a great visual.

Adding a Pack from the Dispensary

Adding a Pack is easy. From the Manage Packs page, click on “+ Add New” button. Select “Add from Dispensary” – you will see a familiar UI. Click on the CrowdStrike Pack, then click “+Add Pack” button. Now explore the Pack!

Packs are a great way to get started, use best practice Stream/Edge capabilities, and see the immediate impact they can make on your observability operations.

Start Packing!