Greetings Criblers! We’re introducing a new series by the Criblers, for the Criblers called How I Stream!
Each month (maybe more frequently–you, too can be featured, share your insights here), we’ll share a quick profile from one of our community GOATS (Greatest of All Time Streamers) sharing use cases and lessons learned.
Our first guest goes by Hobbit in the community. In his day job, you’ll find him solving tricky security challenges, optimizing Splunk, and finding new ways to use Cribl.
What is the coolest thing you’ve done with Cribl Stream?
Complex field extractions, plus logic to enrich, and create fields that I couldn’t do in Splunk very easily. I’ve cleaned up logs, I’ve … so many cool things.
Why is it so cool for you/ your organization?
Stream allows us to not only make Multi-tenant Splunk feasible but speeds up our data normalization, as well as setting us up to integrate with any destination (Splunk, Elastic, Microsoft, etc.)
What problem were you having before finding Stream?
Trying to figure out how to scale Splunk as Data Model Acceleration was problematic.
Did you try to solve it in a different way? If so, how?
Leveraging Stream, we perform index-time field extractions, enrichment, and other normalization tasks. It is possible, but much more difficult to do this in Splunk, so better to use Stream.
How did Stream solve it?
Stream makes it simple to build out the logic (pipelines/packs) that you need, as well as to test said logic with sample data.
What do you want to tackle next (and can we help?)
What tip do you have for n00bs?
Don’t waste your time on Search-Time field extractions in Splunk. Just leverage Stream to perform the extractions. It doesn’t cost you more money as Splunk only charges against the _raw, not against your extracted data. And don’t waste time with vendor-specific fields that are mapped to a CIM field correctly. Just extract to the CIM field.
Got any good goat jokes? [Goat backstory here]
You’ve goat to be kidding me…
The fastest way to get started with Cribl Stream and Cribl Edge is to try the Free Cloud Sandboxes.