How I Stream: Solving Tricky Security Challenges and Optimizing Splunk

April 14, 2022

Greetings Criblers! We’re introducing a new series by the Criblers, for the Criblers called How I Stream!

Each month (maybe more frequently–you, too can be featured, share your insights here), we’ll share a quick profile from one of our community GOATS (Greatest of All Time Streamers) sharing use cases and lessons learned.

Our first guest goes by Hobbit in the community. In his day job, you’ll find him solving tricky security challenges, optimizing Splunk, and finding new ways to use Cribl.

What is the coolest thing you’ve done with Cribl Stream?
Complex field extractions, plus logic to enrich, and create fields that I couldn’t do in Splunk very easily. I’ve cleaned up logs, I’ve … so many cool things.

Why is it so cool for you/ your organization?
Stream allows us to not only make Multi-tenant Splunk feasible but speeds up our data normalization, as well as setting us up to integrate with any destination (Splunk, Elastic, Microsoft, etc.)

What problem were you having before finding Stream?
Trying to figure out how to scale Splunk as Data Model Acceleration was problematic.

Did you try to solve it in a different way? If so, how?
Leveraging Stream, we perform index-time field extractions, enrichment, and other normalization tasks. It is possible, but much more difficult to do this in Splunk, so better to use Stream.

How did Stream solve it?
Stream makes it simple to build out the logic (pipelines/packs) that you need, as well as to test said logic with sample data.

What do you want to tackle next (and can we help?)
Redis integration.

What tip do you have for n00bs?
Don’t waste your time on Search-Time field extractions in Splunk. Just leverage Stream to perform the extractions. It doesn’t cost you more money as Splunk only charges against the _raw, not against your extracted data. And don’t waste time with vendor-specific fields that are mapped to a CIM field correctly. Just extract to the CIM field.

Got any good goat jokes? [Goat backstory here]
You’ve goat to be kidding me…

The fastest way to get started with Cribl Stream and Cribl Edge is to try the Free Cloud Sandboxes.

.
Blog
Feature Image

Cribl Stream: Up To 47x More Efficient vs OpenTelemetry Collector

Read More
.
Blog
Feature Image

12 Ways We Sleighed Innovation This Year

Read More
.
Blog
Feature Image

Scaling Observability on a Budget with Cribl for State, Local, and Education

Read More
pattern

Try Your Own Cribl Sandbox

Experience a full version of Cribl Stream and Cribl Edge in the cloud with pre-made sources and destinations.

box

So you're rockin' Internet Explorer!

Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari

Got one of those handy?