Cribl - Docs

Getting started with Cribl LogStream

Questions? We'd love to help you! Meet us in #cribl (sign up)

    Guides

Ingest-time Fields

Adding Fields to data in motion

To add new fields to any event we use the out-of-the-box Eval function. We can either apply a Filter to select the events or we can leave it empty and apply it to all incoming events.

Adding Fields Example

Let's see how we add dc::nyc-42 to all events with sourcetype=='access_combined':

  • First make sure you have a route & pipeline configured to match desired events.
  • Next, let's add a Eval function to it:
  • Next, let's click on Add Field, add our dc field and Save.

To confirm, verify that this search returns results: sourcetype="access_combined" dc::nyc-42

  • You can add more conditions to the filter, if you'd like. For example, to limit the field to only events from hosts that start with web-01, we can change the filter input as below:

This is a very powerful method to change incoming events in real-time. In addition to providing the right context at the right time, users can further benefit substantially by using tstats for faster analytics.

Removing Fields

Removing fields can be done by either listing or wildcarding of field names. Let's see how we can remove all fields that start with date_.:

  • First make sure you have a route & pipeline configured to match desired events.
  • Next, let's add a Eval function to it (similar to above)
  • Next, in the Remove Fields section add date_* and hit Save.

To confirm, verify that this search: sourcetype="access_combined" date_minute=* will soon stop returning results. Enjoy a more efficient Splunk!

Ingest-time Fields


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.