├── README.md ├── splunk ├── cribldemo │ ├── demo.mode │ ├── lookups │ │ ├── threat_list.csv │ │ └── http_status.csv │ ├── default │ │ ├── app.conf │ │ ├── commands.conf │ │ ├── times.conf │ │ ├── workflow_actions.conf │ │ ├── indexes.conf │ │ └── data │ │ │ └── ui │ │ │ ├── nav │ │ │ └── default.xml │ │ │ └── views │ │ │ ├── route.xml │ │ │ ├── troubleshooting.xml │ │ │ ├── start.xml │ │ │ ├── prettify.xml │ │ │ ├── overview.xml │ │ │ ├── suppress.xml │ │ │ ├── hash.xml │ │ │ ├── encrypt.xml │ │ │ ├── trim.xml │ │ │ ├── indextimefields.xml │ │ │ ├── pii.xml │ │ │ ├── metrics.xml │ │ │ ├── filter.xml │ │ │ ├── lookup.xml │ │ │ └── smart_sample.xml │ ├── local │ │ ├── outputs.conf │ │ ├── inputs.conf │ │ ├── fields.conf │ │ ├── authorize.conf │ │ ├── cribl │ │ │ └── auth │ │ │ │ ├── cribl.secret │ │ │ │ └── keys.json │ │ ├── props.conf │ │ └── transforms.conf │ └── appserver │ │ └── static │ │ ├── images │ │ ├── cribl.png │ │ ├── hash-96.png │ │ ├── mask-96.png │ │ ├── pii-96.png │ │ ├── binary-96.png │ │ ├── clone-96.png │ │ ├── cribl-logo.png │ │ ├── encrypt-96.png │ │ ├── enrich-96.png │ │ ├── filter-96.png │ │ ├── index-96.png │ │ ├── reformat-96.png │ │ └── cribl-basic-model.png │ │ ├── cribladdress.js │ │ ├── shell.js │ │ └── dashboard.js ├── hack │ └── splunk │ │ ├── licenses │ │ └── .gitkeep │ │ └── etc │ │ ├── system │ │ └── local │ │ │ ├── server.conf │ │ │ ├── authentication.conf │ │ │ ├── ui-prefs.conf │ │ │ └── web.conf │ │ ├── apps │ │ ├── splunk_instrumentation │ │ │ └── local │ │ │ │ └── telemetry.conf │ │ └── splunk_httpinput │ │ │ └── local │ │ │ └── inputs.conf │ │ └── users │ │ └── admin │ │ └── user-prefs │ │ └── local │ │ └── user-prefs.conf ├── stop.sh ├── singleinstance │ ├── local │ │ ├── outputs.conf │ │ ├── props.conf │ │ └── inputs.conf │ ├── README │ │ └── inputs.conf.spec │ └── bin │ │ └── cribl_demo_gogen.py ├── config.sh ├── start.sh └── Dockerfile ├── cribl ├── Dockerfile ├── master │ └── groups │ │ └── logs │ │ └── local │ │ └── cribl │ │ ├── certificates.yml │ │ ├── inputs.yml │ │ ├── outputs.yml │ │ └── auth │ │ └── certs │ │ ├── splunk_server.crt │ │ ├── splunk_server.pem │ │ └── splunk_server.key └── cribl │ ├── auth │ ├── users.json │ └── cribl.secret │ ├── cribl.yml │ ├── pipelines │ └── route.yml │ ├── vars.yml │ ├── inputs.yml │ └── outputs.yml ├── universalforwarder ├── gogen │ ├── generators │ │ ├── timeTaken.yml │ │ └── timeTaken.lua │ ├── samples │ │ ├── webhosts.csv │ │ ├── categories.sample │ │ ├── items.sample │ │ ├── products.sample │ │ ├── external_ips.sample │ │ ├── shopping.yml │ │ └── useragents.sample │ └── raters │ │ └── timeTaken_outage.yml ├── Dockerfile └── client.pem ├── .env └── docker-compose.yml /README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /splunk/cribldemo/demo.mode: -------------------------------------------------------------------------------- 1 | true -------------------------------------------------------------------------------- /splunk/hack/splunk/licenses/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /cribl/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM cribl/cribl:latest 2 | -------------------------------------------------------------------------------- /splunk/stop.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | docker kill cribl-demo -------------------------------------------------------------------------------- /splunk/cribldemo/lookups/threat_list.csv: -------------------------------------------------------------------------------- 1 | src_ip,threat_code 2 | 194.8.74.23,malware -------------------------------------------------------------------------------- /splunk/hack/splunk/etc/system/local/server.conf: -------------------------------------------------------------------------------- 1 | [diskUsage] 2 | minFreeSpace = 100 -------------------------------------------------------------------------------- /splunk/cribldemo/default/app.conf: -------------------------------------------------------------------------------- 1 | [ui] 2 | is_visible = 1 3 | label = Cribl Demo 4 | -------------------------------------------------------------------------------- /splunk/hack/splunk/etc/system/local/authentication.conf: -------------------------------------------------------------------------------- 1 | [splunk_auth] 2 | minPasswordLength = 1 -------------------------------------------------------------------------------- /universalforwarder/gogen/generators/timeTaken.yml: -------------------------------------------------------------------------------- 1 | name: timeTaken 2 | fileName: timeTaken.lua 3 | -------------------------------------------------------------------------------- /cribl/master/groups/logs/local/cribl/certificates.yml: -------------------------------------------------------------------------------- 1 | splunk_server: 2 | description: Splunk Server Cert 3 | -------------------------------------------------------------------------------- /splunk/cribldemo/local/outputs.conf: -------------------------------------------------------------------------------- 1 | [tcpout] 2 | disabled = true 3 | 4 | [tcpout:cribl] 5 | disabled = true 6 | -------------------------------------------------------------------------------- /splunk/cribldemo/local/inputs.conf: -------------------------------------------------------------------------------- 1 | 2 | [script://$SPLUNK_HOME/etc/apps/cribl/bin/00_start.py] 3 | disabled = true 4 | -------------------------------------------------------------------------------- /splunk/hack/splunk/etc/system/local/ui-prefs.conf: -------------------------------------------------------------------------------- 1 | [search] 2 | dispatch.earliest_time = -60m 3 | dispatch.latest_time = now -------------------------------------------------------------------------------- /splunk/cribldemo/default/commands.conf: -------------------------------------------------------------------------------- 1 | [decrypt] 2 | filename = cribl.py 3 | chunked = true 4 | command.arg.0 = splunk-decrypt -------------------------------------------------------------------------------- /splunk/cribldemo/default/times.conf: -------------------------------------------------------------------------------- 1 | [Last 5min to @min] 2 | label = Last 5min to @min 3 | earliest_time = -5m@m 4 | latest_time = @m -------------------------------------------------------------------------------- /splunk/hack/splunk/etc/apps/splunk_instrumentation/local/telemetry.conf: -------------------------------------------------------------------------------- 1 | [general] 2 | optInVersionAcknowledged = 3 3 | showOptInModal = 0 -------------------------------------------------------------------------------- /universalforwarder/gogen/samples/webhosts.csv: -------------------------------------------------------------------------------- 1 | ip,host 2 | 10.2.1.33,web-01.bar.com 3 | 10.2.1.34,web-02.bar.com 4 | 10.2.1.35,web-03.bar.com -------------------------------------------------------------------------------- /cribl/cribl/auth/users.json: -------------------------------------------------------------------------------- 1 | {"username":"admin","first":"admin","last":"admin","email":"admin","passwd":"YGnKSKxO8t4cWImXkIJg9tYi8zPV1HjGqjxlrD6gkTU="} -------------------------------------------------------------------------------- /splunk/cribldemo/appserver/static/images/cribl.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/criblio/cribl-training/HEAD/splunk/cribldemo/appserver/static/images/cribl.png -------------------------------------------------------------------------------- /splunk/cribldemo/appserver/static/images/hash-96.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/criblio/cribl-training/HEAD/splunk/cribldemo/appserver/static/images/hash-96.png -------------------------------------------------------------------------------- /splunk/cribldemo/appserver/static/images/mask-96.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/criblio/cribl-training/HEAD/splunk/cribldemo/appserver/static/images/mask-96.png -------------------------------------------------------------------------------- /splunk/cribldemo/appserver/static/images/pii-96.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/criblio/cribl-training/HEAD/splunk/cribldemo/appserver/static/images/pii-96.png -------------------------------------------------------------------------------- /splunk/cribldemo/appserver/static/images/binary-96.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/criblio/cribl-training/HEAD/splunk/cribldemo/appserver/static/images/binary-96.png -------------------------------------------------------------------------------- /splunk/cribldemo/appserver/static/images/clone-96.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/criblio/cribl-training/HEAD/splunk/cribldemo/appserver/static/images/clone-96.png -------------------------------------------------------------------------------- /splunk/cribldemo/appserver/static/images/cribl-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/criblio/cribl-training/HEAD/splunk/cribldemo/appserver/static/images/cribl-logo.png -------------------------------------------------------------------------------- /splunk/cribldemo/appserver/static/images/encrypt-96.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/criblio/cribl-training/HEAD/splunk/cribldemo/appserver/static/images/encrypt-96.png -------------------------------------------------------------------------------- /splunk/cribldemo/appserver/static/images/enrich-96.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/criblio/cribl-training/HEAD/splunk/cribldemo/appserver/static/images/enrich-96.png -------------------------------------------------------------------------------- /splunk/cribldemo/appserver/static/images/filter-96.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/criblio/cribl-training/HEAD/splunk/cribldemo/appserver/static/images/filter-96.png -------------------------------------------------------------------------------- /splunk/cribldemo/appserver/static/images/index-96.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/criblio/cribl-training/HEAD/splunk/cribldemo/appserver/static/images/index-96.png -------------------------------------------------------------------------------- /splunk/singleinstance/local/outputs.conf: -------------------------------------------------------------------------------- 1 | [tcpout] 2 | disabled = false 3 | indexAndForward = true 4 | defaultGroup = nowhere 5 | 6 | [tcpout:cribl] 7 | disabled = false -------------------------------------------------------------------------------- /splunk/cribldemo/appserver/static/images/reformat-96.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/criblio/cribl-training/HEAD/splunk/cribldemo/appserver/static/images/reformat-96.png -------------------------------------------------------------------------------- /splunk/cribldemo/local/fields.conf: -------------------------------------------------------------------------------- 1 | [idx_http_status_description] 2 | INDEXED=true 3 | INDEXED_VALUE=false 4 | 5 | [idx_http_status_type] 6 | INDEXED=true 7 | INDEXED_VALUE=false -------------------------------------------------------------------------------- /splunk/cribldemo/appserver/static/images/cribl-basic-model.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/criblio/cribl-training/HEAD/splunk/cribldemo/appserver/static/images/cribl-basic-model.png -------------------------------------------------------------------------------- /universalforwarder/gogen/samples/categories.sample: -------------------------------------------------------------------------------- 1 | CASES 2 | DISPLAYPROTECT 3 | HEADSETS 4 | BLUETOOTH 5 | BATTERIES 6 | MEMORYCARDS 7 | CHARGERS 8 | HEADSETS 9 | MOUNTS 10 | ACCESSORIES -------------------------------------------------------------------------------- /splunk/cribldemo/appserver/static/cribladdress.js: -------------------------------------------------------------------------------- 1 | const href = `https://${window.location.hostname}:9000/login?username=admin&password=cribldemo`; 2 | document.getElementById('cribluiaddress').href = href; 3 | -------------------------------------------------------------------------------- /splunk/cribldemo/local/authorize.conf: -------------------------------------------------------------------------------- 1 | [role_admin] 2 | cribl_keyclass_0 = enabled 3 | cribl_keyclass_1 = enabled 4 | cribl_keyclass_2 = enabled 5 | cribl_keyclass_3 = enabled 6 | cribl_keyclass_4 = enabled 7 | -------------------------------------------------------------------------------- /splunk/hack/splunk/etc/apps/splunk_httpinput/local/inputs.conf: -------------------------------------------------------------------------------- 1 | [http] 2 | disabled = 0 3 | 4 | [http://dev] 5 | disabled = 0 6 | index = main 7 | indexes = main 8 | token = 00000000-0000-0000-0000-000000000001 -------------------------------------------------------------------------------- /splunk/hack/splunk/etc/system/local/web.conf: -------------------------------------------------------------------------------- 1 | [settings] 2 | enable_insecure_login = True 3 | ui_inactivity_timeout = 43200 4 | cacheEntriesLimit = 0 5 | cacheBytesLimit = 0 6 | minify_js = False 7 | minify_css = False -------------------------------------------------------------------------------- /universalforwarder/gogen/samples/items.sample: -------------------------------------------------------------------------------- 1 | EST-19 2 | EST-18 3 | EST-14 4 | EST-6 5 | EST-26 6 | EST-17 7 | EST-16 8 | EST-15 9 | EST-27 10 | EST-7 11 | EST-21 12 | EST-11 13 | EST-12 14 | EST-13 15 | EST-20 16 | EST-1 -------------------------------------------------------------------------------- /splunk/cribldemo/default/workflow_actions.conf: -------------------------------------------------------------------------------- 1 | [link2cribl] 2 | display_location = both 3 | fields = * 4 | label = Go to Cribl Pipeline 5 | link.method = get 6 | link.target = blank 7 | link.uri = https://$splunk_server$:9000/pipelines/$cribl_pipe$ 8 | type = link -------------------------------------------------------------------------------- /splunk/config.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ -n "$CRIBL_ROUTING_DEMO" ]; then 4 | cat <<-EOF >> $SPLUNK_HOME/etc/apps/cribl/local/inputs.conf 5 | [splunktcp://9997] 6 | connection_host = ip 7 | 8 | [splunktcp://9998] 9 | connection_host = ip 10 | EOF 11 | fi 12 | -------------------------------------------------------------------------------- /splunk/hack/splunk/etc/users/admin/user-prefs/local/user-prefs.conf: -------------------------------------------------------------------------------- 1 | [general] 2 | default_namespace = cribl 3 | search_use_advanced_editor = true 4 | search_line_numbers = false 5 | search_auto_format = false 6 | search_syntax_highlighting = dark 7 | # tz = America/Los_Angeles 8 | -------------------------------------------------------------------------------- /.env: -------------------------------------------------------------------------------- 1 | CRIBL_SPLUNK=cribl:9999 2 | CRIBL_SPLUNK_ARGS=-ssl-cert-path /opt/splunk/etc/auth/client.pem 3 | CRIBL_ELASTIC=http://cribl:10200 4 | CRIBL_HEC=http://cribl:10088/services/collector/event 5 | CRIBL_SYSLOG=cribl:5140 6 | CRIBL_KAFKA=kafka:29092 7 | CRIBL_STATSD=cribl:8125 8 | CRIBL_TCPJSON=cribl:10001 -------------------------------------------------------------------------------- /cribl/cribl/cribl.yml: -------------------------------------------------------------------------------- 1 | api: 2 | host: 0.0.0.0 3 | port: 9000 4 | disabled: false 5 | ssl: 6 | disabled: true 7 | system: 8 | intercom: false 9 | upgrade: api 10 | restart: api 11 | installType: standalone 12 | workers: 13 | count: 3 14 | memory: 2048 15 | distributed: 16 | mode: standalone 17 | -------------------------------------------------------------------------------- /cribl/cribl/pipelines/route.yml: -------------------------------------------------------------------------------- 1 | id: default 2 | routes: 3 | - id: OsuFhD 4 | name: Main Route 5 | final: true 6 | disabled: false 7 | pipeline: main 8 | description: Catchall for routing data through main pipeline 9 | clones: 10 | - {} 11 | filter: "true" 12 | output: default 13 | -------------------------------------------------------------------------------- /universalforwarder/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM cribl/universalforwarder:8.0.0 2 | ADD gogen /etc/gogen 3 | ADD https://api.gogen.io/linux/gogen /usr/bin/gogen 4 | RUN chmod 755 /usr/bin/gogen 5 | ENV SPLUNK_USER root 6 | ENV SPLUNK_START_ARGS "--accept-license --answer-yes --seed-passwd cribldemo" 7 | ADD client.pem /var/opt/splunk/etc/auth/client.pem -------------------------------------------------------------------------------- /cribl/cribl/auth/cribl.secret: -------------------------------------------------------------------------------- 1 | Y3LbuaqwCAc9SKazbXoCsLjjvraFKaxj8Lw2FN+antLAZ3bnoDwdllVSnSY31PUCe+sfkje+xLGIUAxNs9zSlkTf7OXPXtXERE8vj40myT3ZqNxN8iyVWgjWMTD9iT7snl9MhL3xae0LAUyhBW62ioxRMqfKN9aa0+/ZKsYI0kE/rgGAew7GmiQKy8pV1lHpDlQDBZOOdUuKYcNmgz58225G8wfghQeInw1DJ7gQI0lp08qIqOJbmKetOXWEGfM8RhTgoWggLReitWpgM/+CXCtWSBTEuB4HzcEEMECEMnWWFzkQp+jNlwZvLYANe/F+ANIiSbqOL9C18tHLnWCcxw== -------------------------------------------------------------------------------- /splunk/cribldemo/appserver/static/shell.js: -------------------------------------------------------------------------------- 1 | const src = `${window.location.protocol}//${window.location.hostname}:27425/`; 2 | // console.log('shell src: ', src); 3 | document.getElementById('shell_iframe').src = src; 4 | setTimeout(() => { 5 | document.getElementById('shell_iframe').contentWindow.postMessage({ command: 'tail -f /tmp/events.ndjson\n' }, src); 6 | }, 2000); 7 | -------------------------------------------------------------------------------- /splunk/cribldemo/local/cribl/auth/cribl.secret: -------------------------------------------------------------------------------- 1 | 2YZ8FQqrGFwB2eBxTUhGvVX23issTErKWkuVGKxcxSoYSLm7e1zUn841OFb+Co7TLihyxHhQthCEE5nGH3lJrCvYJ3i01skLLl8mIlpe3pJgGgKypD51zX0a0ybfx871tCL8O03CTDZGHZ0iZqKDFe62HoJRnYoIuHbTFFp0Go0ZO/nnVNIOyJ0tMTpU8e4fShU3yOMk+PULS2xTQoQCauCSHI15hSw/eUzgVwMCEsn4VxDu3LzvYe4HEGmtxMjw9GAblLb7gmQJcpoBCLKioBYRYbQVflfF2plE2Ne21o6dy7jOsEW5W47u1W54jA5yJsPBfnsml1NyUZSRpGxdJg== -------------------------------------------------------------------------------- /splunk/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Start Cribl and Splunk demo in a single container 4 | docker run \ 5 | -d \ 6 | --rm \ 7 | --name cribl-demo \ 8 | --hostname cribl-demo \ 9 | --publish 8000:8000 \ 10 | --publish 8088:8088 \ 11 | --publish 8089:8089 \ 12 | --publish 9000:9000 \ 13 | --publish 10080:10080 \ 14 | -e DONT_TIMEOUT=1 \ 15 | cribl/cribl-demo:latest 16 | -------------------------------------------------------------------------------- /cribl/cribl/vars.yml: -------------------------------------------------------------------------------- 1 | criblIndex: 2 | type: expression 3 | lib: custom 4 | description: Checks if index is cribl 5 | args: 6 | - type: string 7 | name: additional 8 | value: "index=='cribl' && (additional === undefined ? true : additional)" 9 | tags: routing 10 | accessCombined: 11 | type: expression 12 | lib: custom 13 | description: Access combined events 14 | value: index=='cribl' && sourcetype=='access_combined' 15 | tags: routing -------------------------------------------------------------------------------- /cribl/cribl/inputs.yml: -------------------------------------------------------------------------------- 1 | inputs: 2 | http: 3 | type: http 4 | disabled: false 5 | host: 0.0.0.0 6 | port: 10080 7 | criblAPI: /cribl 8 | splunkHecAPI: "" 9 | tls: 10 | disabled: true 11 | authToken: "" 12 | tcpjson: 13 | type: tcpjson 14 | disabled: false 15 | pipeline: tcpjson-conditioning 16 | host: 0.0.0.0 17 | port: 10001 18 | tls: 19 | disabled: true 20 | ipWhitelistRegex: /.*/ 21 | authToken: "" 22 | -------------------------------------------------------------------------------- /splunk/singleinstance/local/props.conf: -------------------------------------------------------------------------------- 1 | [access_combined] 2 | REPORT-apachebytes = apachebytes 3 | REPORT-apachesrc = apachesrc 4 | REPORT-apachestatus = apachestatus 5 | REPORT-apacheclientip = apacheclientip 6 | REPORT-apachetimetaken = apachetimetaken 7 | FIELDALIAS-responsetime = other AS time_taken 8 | LOOKUP-http_status_description = http_status status OUTPUT status_description AS http_status_description 9 | LOOKUP-http_status_type = http_status status OUTPUT status_type AS http_status_type 10 | 11 | [lambda] 12 | KV_MODE=json -------------------------------------------------------------------------------- /splunk/cribldemo/local/props.conf: -------------------------------------------------------------------------------- 1 | [default] 2 | TRANSFORMS-cribl = 3 | 4 | 5 | [access_combined] 6 | REPORT-apachebytes = apachebytes 7 | REPORT-apachesrc = apachesrc 8 | REPORT-apachestatus = apachestatus 9 | REPORT-apacheclientip = apacheclientip 10 | REPORT-apachetimetaken = apachetimetaken 11 | FIELDALIAS-responsetime = other AS time_taken 12 | LOOKUP-http_status_description = http_status status OUTPUT status_description AS http_status_description 13 | LOOKUP-http_status_type = http_status status OUTPUT status_type AS http_status_type 14 | 15 | [lambda] 16 | KV_MODE=json -------------------------------------------------------------------------------- /cribl/master/groups/logs/local/cribl/inputs.yml: -------------------------------------------------------------------------------- 1 | inputs: 2 | splunk: 3 | disabled: false 4 | host: 0.0.0.0 5 | tls: 6 | disabled: false 7 | requestCert: false 8 | rejectUnauthorized: false 9 | commonNameRegex: /.*cribl\.io.*/ 10 | certPath: $CRIBL_HOME/local/cribl/auth/certs/splunk_server.crt 11 | privKeyPath: $CRIBL_HOME/local/cribl/auth/certs/splunk_server.key 12 | caPath: $CRIBL_HOME/local/cribl/auth/certs/splunk_server.pem 13 | ipWhitelistRegex: /.*/ 14 | staleChannelFlushMs: 10000 15 | type: splunk 16 | port: 9999 17 | -------------------------------------------------------------------------------- /splunk/singleinstance/local/inputs.conf: -------------------------------------------------------------------------------- 1 | 2 | [script://./bin/email.sh] 3 | interval = -1 4 | disabled = false 5 | index = _internal 6 | source = cribl_email 7 | 8 | [script://$SPLUNK_HOME/etc/apps/cribl/bin/00_start.py] 9 | disabled = false 10 | 11 | [cribl_demo_gogen://gogen] 12 | config_type = config_dir 13 | 14 | [splunktcp://9997] 15 | disabled = false 16 | 17 | # cooked data -> criblQ 18 | # cribled data -> indexQ 19 | [splunktcp] 20 | route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:__CRIBBLED:indexQueue;has_key:_linebreaker:criblQueue;absent_key:_linebreaker:parsingQueue -------------------------------------------------------------------------------- /cribl/cribl/outputs.yml: -------------------------------------------------------------------------------- 1 | outputs: 2 | statsd: 3 | type: router 4 | rules: 5 | - filter: "true" 6 | output: splunk-metrics 7 | final: false 8 | onBackpressure: block 9 | splunk-metrics: 10 | dnsResolvePeriodSec: 60 11 | excludeSelf: true 12 | loadBalanceStatsPeriodSec: 300 13 | indexerDiscovery: false 14 | throttleRatePerSec: "0" 15 | tls: 16 | disabled: true 17 | connectionTimeout: 5000 18 | writeTimeout: 10000 19 | onBackpressure: queue 20 | pipeline: metrics_to_logs 21 | hosts: 22 | - port: 9998 23 | tls: inherit 24 | weight: 1 25 | host: splunk 26 | type: splunk_lb 27 | -------------------------------------------------------------------------------- /splunk/cribldemo/local/transforms.conf: -------------------------------------------------------------------------------- 1 | [route2criblQueue] 2 | REGEX = ^[^_] 3 | 4 | [apachebytes] 5 | REGEX = (?i)^(?:[^\"]*\"){6}\s+(?.+) 6 | 7 | [apachesrc] 8 | REGEX = (?[A-Za-z0-9\-\_\.]+?)\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s-\s-\s\[ 9 | 10 | [apachestatus] 11 | REGEX = HTTP 1\.1\"\s(?\d{3})\s 12 | 13 | [apacheclientip] 14 | REGEX = [A-Za-z0-9\-\_\.]+?\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s-\s-\s\[ 15 | 16 | [apachetimetaken] 17 | REGEX = (?i)^(?:[^\"]*\"){2}\s+\d+\s+(?\d+) 18 | 19 | [http_status] 20 | filename = http_status.csv 21 | 22 | [dnsLookup] 23 | external_cmd = external_lookup.py host ip 24 | fields_list = host, ip 25 | 26 | [threat_list] 27 | filename = threat_list.csv -------------------------------------------------------------------------------- /splunk/cribldemo/default/indexes.conf: -------------------------------------------------------------------------------- 1 | [cribl] 2 | coldPath = $SPLUNK_DB/cribl/colddb 3 | enableDataIntegrityControl = 0 4 | enableTsidxReduction = 0 5 | homePath = $SPLUNK_DB/cribl/db 6 | maxTotalDataSizeMB = 5000 7 | thawedPath = $SPLUNK_DB/cribl/thaweddb 8 | 9 | [cribl-modified] 10 | coldPath = $SPLUNK_DB/cribl-modified/colddb 11 | enableDataIntegrityControl = 0 12 | enableTsidxReduction = 0 13 | homePath = $SPLUNK_DB/cribl-modified/db 14 | maxTotalDataSizeMB = 5000 15 | thawedPath = $SPLUNK_DB/cribl-modified/thaweddb 16 | 17 | [cribl-metrics] 18 | coldPath = $SPLUNK_DB/cribl-metrics/colddb 19 | enableDataIntegrityControl = 0 20 | enableTsidxReduction = 0 21 | homePath = $SPLUNK_DB/cribl-metrics/db 22 | maxTotalDataSizeMB = 5000 23 | thawedPath = $SPLUNK_DB/cribl-metrics/thaweddb 24 | datatype = metric -------------------------------------------------------------------------------- /splunk/cribldemo/default/data/ui/nav/default.xml: -------------------------------------------------------------------------------- 1 | 31 | -------------------------------------------------------------------------------- /splunk/cribldemo/local/cribl/auth/keys.json: -------------------------------------------------------------------------------- 1 | {"keyId":"0","algorithm":"aes-256-cbc","keyclass":0,"kms":"local","created":1544677114.304,"expires":0,"useIV":false,"cipherKey":"4kcRFY6Yfws6+Y7Nrki/MvrqaH9zOhCO5ldJXwy4J43h50y5j5ML3uCII6Rl2uzy"} 2 | {"keyId":"1","algorithm":"aes-256-cbc","keyclass":1,"kms":"local","created":1544677141.188,"expires":0,"useIV":false,"cipherKey":"EXVXvU//H375Ma0tvB6TrrdUIyBnG6xkEBEnyySkT2p0V7a1BqY/23wfMmMQpcwl"} 3 | {"keyId":"2","algorithm":"aes-256-cbc","keyclass":2,"kms":"local","created":1544677143.57,"expires":0,"useIV":false,"cipherKey":"RP2GZluQvThy7SV9/ol2IRb6wBUSBsVSc7m70tJgIV2Ed7yYD++q3vnZ3hiLVYbh"} 4 | {"keyId":"3","algorithm":"aes-256-cbc","keyclass":3,"kms":"local","created":1544677146.716,"expires":0,"useIV":false,"cipherKey":"6MkdnU4kIW05bPrGmjXburUL77523W+wOffxGheIh+2GJvZ0k4nlA+ZihHxJeEKI"} 5 | {"keyId":"4","algorithm":"aes-256-cbc","keyclass":4,"kms":"local","created":1544677149.193,"expires":0,"useIV":false,"cipherKey":"lQSHsl8OYdjG5zAIYANtDy/3XFLDcxwUQTOuql+bmV7pX1ruRTa3VEOUay+JDqsH"} -------------------------------------------------------------------------------- /splunk/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM cribl/splunk:8.0.0 2 | ARG CRIBL_DISTRO=cribl-splunk-app 3 | RUN sh -c 'echo dash dash/sh boolean false | debconf-set-selections' && \ 4 | sh -c 'DEBIAN_FRONTEND=noninteractive dpkg-reconfigure dash' && \ 5 | apt-get update && \ 6 | apt-get install -y vim nano curl ca-certificates jq && \ 7 | rm -rf /var/lib/apt/lists/* 8 | RUN VERSION=$(curl -s https://cdn.cribl.io/versions.json | jq -r .version) && \ 9 | curl -Lso /tmp/${CRIBL_DISTRO}.tgz https://cdn.cribl.io/dl/$(echo ${VERSION} | cut -d '-' -f 1)/${CRIBL_DISTRO}-${VERSION}-linux-x64.tgz && \ 10 | tar -zxvf /tmp/${CRIBL_DISTRO}.tgz -C /var/opt/splunk/etc/apps && \ 11 | rm /tmp/${CRIBL_DISTRO}.tgz 12 | COPY hack/splunk/etc /var/opt/splunk/etc 13 | COPY config.sh /var/opt/splunk/etc/apps/cribl/bin/config.sh 14 | COPY cribldemo/ /var/opt/splunk/etc/apps/cribl/ 15 | ENV SPLUNK_USER root 16 | ENV SPLUNK_START_ARGS "--accept-license --answer-yes --seed-passwd cribldemo" 17 | ENV SPLUNK_BEFORE_START_CMD "version ${SPLUNK_START_ARGS}" 18 | ENV SPLUNK_BEFORE_START_CMD_1 "cmd /bin/bash /opt/splunk/etc/apps/cribl/bin/config.sh" 19 | -------------------------------------------------------------------------------- /splunk/singleinstance/README/inputs.conf.spec: -------------------------------------------------------------------------------- 1 | [cribl_demo_gogen://] 2 | 3 | config = 4 | * Short Gogen path (coccyx/weblog for example), full file path,local file in config directory, or URL pointing to YAML or JSON config. 5 | 6 | config_type = 7 | * local_file / short_path / full_file_path / url 8 | 9 | count = 10 | * Count of events to generate every interval. Overrides any amounts set in the Gogen config. 11 | 12 | gogen_interval = 13 | * Generate events every interval seconds. Overrides any interval set in the Gogen config. 14 | 15 | end_intervals = 16 | * Generate events for endIntervals and stop. Overrides any endInterval set in the Gogen config. 17 | 18 | begin = 19 | * Start generating events at begin time. Can use Splunk's relative time syntax or an absolute time. Overrides any begin setting in the Gogen config. 20 | 21 | end = 22 | * End generating events at end time. Can use Splunk's relative time syntax or an absolute time. Overrides any end setting in the Gogen config. 23 | 24 | generator_threads = 25 | * Sets number of generator threads 26 | -------------------------------------------------------------------------------- /cribl/master/groups/logs/local/cribl/outputs.yml: -------------------------------------------------------------------------------- 1 | outputs: 2 | default: 3 | defaultId: splunk 4 | type: default 5 | splunk: 6 | dnsResolvePeriodSec: 60 7 | excludeSelf: true 8 | loadBalanceStatsPeriodSec: 300 9 | indexerDiscovery: false 10 | throttleRatePerSec: "0" 11 | tls: 12 | disabled: true 13 | connectionTimeout: 10000 14 | writeTimeout: 60000 15 | onBackpressure: block 16 | hosts: 17 | - port: 9997 18 | tls: inherit 19 | weight: 1 20 | host: splunk 21 | type: splunk_lb 22 | statsd: 23 | type: router 24 | rules: 25 | - filter: "true" 26 | output: splunk-metrics 27 | final: false 28 | onBackpressure: block 29 | splunk-metrics: 30 | dnsResolvePeriodSec: 60 31 | excludeSelf: true 32 | loadBalanceStatsPeriodSec: 300 33 | indexerDiscovery: false 34 | throttleRatePerSec: "0" 35 | tls: 36 | disabled: true 37 | connectionTimeout: 5000 38 | writeTimeout: 10000 39 | onBackpressure: queue 40 | pipeline: metrics_to_logs 41 | hosts: 42 | - port: 9998 43 | tls: inherit 44 | weight: 1 45 | host: splunk 46 | type: splunk_lb 47 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.5" 2 | services: 3 | cribl: 4 | build: 5 | context: cribl 6 | ports: 7 | - 10200:10200 8 | - 10088:10088 9 | - 10080:10080 10 | - 10001:10001 11 | - 9999:9999 12 | - 9000:9000 13 | - 8125:8125 14 | - 8125:8125/udp 15 | - 5140:5140 16 | volumes: 17 | - ./cribl/cribl:/opt/cribl/local/cribl 18 | - ./cribl/data:/opt/cribl/data 19 | - /var/run/docker.sock:/var/run/docker.sock 20 | gogen-accesscombined-forwarder: 21 | build: 22 | context: universalforwarder 23 | environment: 24 | - SPLUNK_CMD=cmd mkdir -p /var/log/httpd 25 | - SPLUNK_CMD_1=cmd gogen -v -cd /etc/gogen -o file --filename 26 | /var/log/httpd/access_log -lj gen -s shoppingapache 2>/var/log/gogen.log 27 | & 28 | - SPLUNK_CMD_2=add monitor /var/log/httpd/access_log -auth admin:cribldemo 29 | -sourcetype access_combined -index cribl 30 | - SPLUNK_CMD_3=add forward-server ${CRIBL_SPLUNK} -auth admin:cribldemo 31 | ${CRIBL_SPLUNK_ARGS} 32 | splunk: 33 | build: 34 | context: splunk 35 | ports: 36 | - 8000:8000 37 | - 8088:8088 38 | - 8089:8089 39 | - 9997:9997 40 | environment: 41 | - DONT_TIMEOUT=1 42 | - CRIBL_ROUTING_DEMO=1 43 | -------------------------------------------------------------------------------- /universalforwarder/gogen/raters/timeTaken_outage.yml: -------------------------------------------------------------------------------- 1 | name: timeTaken_outage 2 | type: config 3 | options: 4 | MinuteOfHour: 5 | 0: 1.0 6 | 1: 1.0 7 | 2: 1.0 8 | 3: 1.0 9 | 4: 1.0 10 | 5: 1.0 11 | 6: 1.0 12 | 7: 1.0 13 | 8: 1.0 14 | 9: 1.0 15 | 10: 1.0 16 | 11: 1.0 17 | 12: 1.0 18 | 13: 1.0 19 | 14: 1.0 20 | 15: 1.0 21 | 16: 1.0 22 | 17: 1.0 23 | 18: 1.0 24 | 19: 1.0 25 | 20: 1.0 26 | 21: 1.0 27 | 22: 1.0 28 | 23: 1.0 29 | 24: 1.0 30 | 25: 1.0 31 | 26: 1.0 32 | 27: 1.0 33 | 28: 1.0 34 | 29: 1.0 35 | 30: 1.0 36 | 31: 1.0 37 | 32: 1.0 38 | 33: 1.0 39 | 34: 1.0 40 | 35: 1.0 41 | 36: 5.0 42 | 37: 5.0 43 | 38: 1.0 44 | 39: 1.0 45 | 40: 1.0 46 | 41: 1.0 47 | 42: 1.0 48 | 43: 1.0 49 | 44: 1.0 50 | 45: 1.0 51 | 46: 1.0 52 | 47: 1.0 53 | 48: 1.0 54 | 49: 1.0 55 | 50: 1.0 56 | 51: 1.0 57 | 52: 1.0 58 | 53: 1.0 59 | 54: 1.0 60 | 55: 1.0 61 | 56: 1.0 62 | 57: 1.0 63 | 58: 1.0 64 | 59: 1.0 -------------------------------------------------------------------------------- /universalforwarder/gogen/generators/timeTaken.lua: -------------------------------------------------------------------------------- 1 | 2 | -- HACK 3 | -- Gogen API doesn't let us just pick a random choice 4 | -- So we need to know how big the session.csv file is 5 | sessionCount = 1570 6 | 7 | -- These 4 sessions are hard coded to have poorer response times 8 | -- In our scenario, they are all from Lake Tahoe 9 | badsessions = {} 10 | for i = sessionCount-4,sessionCount-1 do 11 | badsessions[getFieldChoiceItem("sessionIdForGenerator", "sessionId", i)] = true 12 | end 13 | 14 | -- We want an approximately gaussian distribution, so use central limit theorum to approximate 15 | -- see example from https://stackoverflow.com/questions/25582882/javascript-math-random-normal-distribution-gaussian-bell-curve 16 | function gaussianRand() 17 | local rand = 0 18 | for i = 0,5 do 19 | rand = rand + math.random() 20 | end 21 | 22 | return rand / 6 23 | end 24 | 25 | function gaussianRandom(lower, higher) 26 | return math.floor(lower + gaussianRand() * (higher - lower + 1)) 27 | end 28 | 29 | l = getLine(0) 30 | for i = 1,count do 31 | session = getFieldChoiceItem("sessionIdForGenerator", "sessionId", math.random(0, sessionCount-1)) 32 | setToken("sessionId", session) 33 | timeTaken = gaussianRandom(50, 250) 34 | if badsessions[session] then 35 | timeTaken = timeTaken * gaussianRandom(5, 10) 36 | end 37 | setToken("timeTaken", timeTaken) 38 | se = replaceTokens(l) 39 | sendEvent(se) 40 | end -------------------------------------------------------------------------------- /splunk/cribldemo/lookups/http_status.csv: -------------------------------------------------------------------------------- 1 | status,status_description,status_type 2 | 100,Continue,Informational 3 | 101,Switching Protocols,Informational 4 | 200,OK,Successful 5 | 201,Created,Successful 6 | 202,Accepted,Successful 7 | 203,Non-Authoritative Information,Successful 8 | 204,No Content,Successful 9 | 205,Reset Content,Successful 10 | 206,Partial Content,Successful 11 | 300,Multiple Choices,Redirection 12 | 301,Moved Permanently,Redirection 13 | 302,Found,Redirection 14 | 303,See Other,Redirection 15 | 304,Not Modified,Redirection 16 | 305,Use Proxy,Redirection 17 | 307,Temporary Redirect,Redirection 18 | 400,Bad Request,Client Error 19 | 401,Unauthorized,Client Error 20 | 402,Payment Required,Client Error 21 | 403,Forbidden,Client Error 22 | 404,Not Found,Client Error 23 | 405,Method Not Allowed,Client Error 24 | 406,Not Acceptable,Client Error 25 | 407,Proxy Authentication Required,Client Error 26 | 408,Request Timeout,Client Error 27 | 409,Conflict,Client Error 28 | 410,Gone,Client Error 29 | 411,Length Required,Client Error 30 | 412,Precondition Failed,Client Error 31 | 413,Request Entity Too Large,Client Error 32 | 414,Request-URI Too Long,Client Error 33 | 415,Unsupported Media Type,Client Error 34 | 416,Requested Range Not Satisfiable,Client Error 35 | 417,Expectation Failed,Client Error 36 | 500,Internal Server Error,Server Error 37 | 501,Not Implemented,Server Error 38 | 502,Bad Gateway,Server Error 39 | 503,Service Unavailable,Server Error 40 | 504,Gateway Timeout,Server Error 41 | 505,HTTP Version Not Supported,Server Error -------------------------------------------------------------------------------- /splunk/cribldemo/appserver/static/dashboard.js: -------------------------------------------------------------------------------- 1 | const name = undefined; 2 | const email = undefined; 3 | 4 | /* pipelines */ 5 | Array.from(document.getElementsByClassName('pipeline-name')).forEach(element => { 6 | const pipelineId = element.id; 7 | element.href = `https://${window.location.hostname}:9000/pipelines/${pipelineId}`; 8 | }); 9 | 10 | /* eslint-disable */ 11 | 12 | (function () { 13 | var w = window; 14 | var ic = w.Intercom; 15 | if (typeof ic === "function") { 16 | ic('reattach_activator'); 17 | ic('update', intercomSettings); 18 | } else { 19 | var d = document; 20 | var i = function () { 21 | i.c(arguments) 22 | }; 23 | i.q = []; 24 | i.c = function (args) { 25 | i.q.push(args) 26 | }; 27 | w.Intercom = i; 28 | var loaded = false; 29 | function l() { 30 | if(loaded) return; 31 | loaded = true; 32 | var s = d.createElement('script'); 33 | s.type = 'text/javascript'; 34 | s.async = true; s.src = 'https://widget.intercom.io/widget/s8fj4krt'; 35 | var x = d.getElementsByTagName('script')[0]; 36 | x.parentNode.insertBefore(s, x); 37 | } 38 | if(d.readyState == 'complete') { // 'load' has already fired 39 | l(); 40 | } else if (w.attachEvent) { 41 | w.attachEvent('onload', l); 42 | } else { 43 | w.addEventListener('load', l, false); 44 | } 45 | // last ditch effort to call load 46 | setTimeout(l, 5000); 47 | } 48 | } 49 | )() 50 | 51 | const intercomSettings = { 52 | app_id: "s8fj4krt", 53 | name, 54 | email, 55 | }; 56 | console.log('intercomSettings: ', intercomSettings); 57 | window.Intercom('boot', intercomSettings); 58 | window.Intercom('update'); 59 | -------------------------------------------------------------------------------- /splunk/cribldemo/default/data/ui/views/route.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 | 4 | 5 | 6 |

7 | Cribl Pipeline: Route 11 |

12 |

13 | Splunk's forwarder is the best and most mature log data gathering technology, but until now it's only been able to deliver data to Splunk. For many of our customers and prospects, they've expressed a desire to be able to send some data they're gathering to Splunk and send some of their data to third party systems, like S3, NFS, Hadoop, or other file stores. Cribl makes this possible. 14 |

15 |

16 | In this example, we're simply tee-ing the data to a file using the unix tee command. The file is located in /tmp/events.ndjson. At startup, we've executed tail -f /tmp/events.ndjson. Feel free to ^C and take a look at the file yourself with vi, grep, etc. The file is in newline-delimited json format. Also, try using jq on the data, by executing a command like tail -f /tmp/events.ndjson | jq .. 17 |

18 | 19 | 20 | 21 | Original vs. Modified 22 | 23 | 24 | 25 | 26 | 27 |
-------------------------------------------------------------------------------- /universalforwarder/gogen/samples/products.sample: -------------------------------------------------------------------------------- 1 | CC-P3-OTTERBOX-OBIPHONE4 2 | CC-P3-OTTERBOX-OBIPHONE5 3 | CC-P3-BELKIN-SILBLKIPH4 4 | CC-P3-BELKIN-SILBLKIPH5 5 | CC-P3-APPLE-BUMPIPHONE4 6 | CC-P4-OTTERBOX-OBDROID4 7 | CC-T7-ZAGG-FOLIOMINI 8 | CC-T7-BELKIN-SLEEVE 9 | CC-T10-RIM-BBERRYPLAY 10 | CC-T11-ZAGG-FOLIO 11 | CC-T11-BELKIN-SLEEVE 12 | DP-IPHONE4 13 | DP-IPHONE5 14 | DP-NOKLUMIA 15 | DP-HTCONE 16 | DP-HTCREZOUND 17 | DP-HTCDROIDINC 18 | DP-MOTDROID2 19 | DP-MOTDROID3 20 | DP-MOTDROIDRAZ 21 | DP-SAMSGALAX 22 | DP-SAMSGALAX3 23 | DP-SAMSGALAX4 24 | DP-SAMSGALAXTAB 25 | BT-HS-BEATSWIRELESS 26 | BT-HS-PLANT-M25 27 | BT-HS-PLANT-VOYLEGEND 28 | BT-HS-JAWB-ICONTHD 29 | BT-HS-JABRA-WAVE 30 | BT-HS-SAMS-HM1300 31 | BT-SP-JAWB-JAMBOX 32 | BT-SP-JAWB-JAMBOXBIG 33 | BT-SP-BOSESNDLNK2 34 | BT-KB-LOGITECH 35 | BT-MO-MOT-BTMOUSE 36 | BT-CK-JABRA-FREEWAY 37 | BT-CK-D-ROADSTER2 38 | BA-MOPHIE-JUICEPACKPLUS 39 | BA-MOPHIE-JUICEPACKAIR 40 | BA-NOK-LUMIA 41 | BA-HTC-REZOUND 42 | BA-SAMS-STELLAR 43 | MC-SANDISK-MICROSD4GB 44 | MC-SANDISK-MICROSD8GB 45 | MC-SANDISK-MICROSD16GB 46 | MC-SANDISK-MICROSD32GB 47 | MC-SANDISK-MICROSD64GB 48 | MC-SANDISK-READER 49 | MC-INTUIT-CCREADER 50 | MC-SQUARE-CCREADER 51 | CH-APPLE-5W 52 | CH-APPLE-10W 53 | CH-APPLE-12W 54 | CH-APPLE-5WL 55 | CH-APPLE-10WL 56 | CH-APPLE-12WL 57 | CH-MOT-MICROUSB 58 | CH-RIM-MICROUSB 59 | CH-SAMS-MICROUSB 60 | CH-NOK-INDUCTIVE 61 | HS-APPLE-EARBUDS 62 | HS-KLIPSCH-IMAGEONE 63 | HS-SENNH-CX870 64 | HS-BOSE-MIE2I 65 | HS-SKULLC-MERGER 66 | HS-MONST-NERGY 67 | HS-PLANT-MX200 68 | MO-IBOLT-MOUNT 69 | MO-MOT-RAZRM 70 | MO-IGRIP-WINDOW 71 | MO-IGRIP-VENT 72 | AC-ASSTCHARMS 73 | AC-BLING 74 | AC-SIERRA-HOTSPOT3G 75 | AC-SIERRA-HOTSPOT4G 76 | AC-MOTO-HOTSPOT3G 77 | AC-MOTO-HOTSPOT4G 78 | AC-SAMS-NETEXTEND -------------------------------------------------------------------------------- /cribl/master/groups/logs/local/cribl/auth/certs/splunk_server.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFhDCCA2wCCQCKz+jNy5hTsTANBgkqhkiG9w0BAQUFADCBgzELMAkGA1UEBhMC 3 | VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28x 4 | EjAQBgNVBAoMCUNyaWJsIEluYzEgMB4GA1UECwwXTWt0ZyBEZXB0IChjbGllbnQg 5 | cGFzcykxETAPBgNVBAMMCGNyaWJsLmlvMB4XDTIwMDEyMTAwMTgyN1oXDTIwMDIy 6 | MDAwMTgyN1owgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYw 7 | FAYDVQQHDA1TYW4gRnJhbmNpc2NvMRIwEAYDVQQKDAlDcmlibCBJbmMxIDAeBgNV 8 | BAsMF01rdGcgRGVwdCAoY2xpZW50IHBhc3MpMREwDwYDVQQDDAhjcmlibC5pbzCC 9 | AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPWqJhx4D+QbIgClKpBc1V/d 10 | w6/Jpilw7hklCnYJkZigH/Jh5OeOH3dg8Cd/V2GvOnJ246tdEejzVM9e9vRvtE9Y 11 | cv/54PLxYAkGRep5WqERGO47PXFtMA4TBZoEIQgUI6bhWNZ9XAViO+h8/OpGM4zg 12 | r0jbWwI7wfMyBXATF32u/XLKWDoAz7qY8nCQFF0pRw6JfCuxa+MW0IhzAUnR325Z 13 | /KLLzYu6EppHRL3HdN7uOBuR+4rSQNCRRwJs9ooulJWCe+UR/fKxj+CJlo6JO+U8 14 | N4hvCxLF1huIDwQ56/wIrdKn9JeKFZTXR5fjtfHtbiEFRFYF/v04A1ggcPfPMNqo 15 | 44N8ZnTMALigZnbDGGQU4SWvrgR9HhpvFb4lDmM9YK6FfM2LtAugsqpaBEJcERqk 16 | Ixx+zt1I/1Xv4cwtI+lxEB8yTRK8fhCUTtCnRH6vrqFG2zFetLfAhNoLl0a7kPLH 17 | YA8gg+l6Idx8bPpjH02bknkzjiy601YBXg6/VlwYMYrKMgB2bzgYNGu0Kp+rjPsz 18 | z7t5c8jHrfFBqhRGWp+Q+IU3Nz84cJgPm9JHdhb+0OMeMloo20TVMeqFw0EwnK28 19 | Z393yyaOYLFtVwTzDFqwPWTFebo0KU+spMqWWG1wXzn/6KBR51r4YMZklbhI1JVA 20 | HuppinbXkcyB47SCoDq3AgMBAAEwDQYJKoZIhvcNAQEFBQADggIBAN0cZKubgY7t 21 | 01kT7jeXpQr4AcA5BmTdEKfvK/j5VuLUe7nDClCdZsZGDldIBlVJl3h4YutWBGMC 22 | JBpYebi/q6jC9mF7wBdpCOpY6QYS452Q1gfmIKIUpLW8MMNtJqTbSklMgoYWrOtZ 23 | fgvjY+ftDIpCtb622MeJZg3vsIisb5GgNJTkysv0ZbVuxsw1PasMUNni4M8onD02 24 | YfuPUx/VB5RKw8PhcAryAno1Gz6vnLDP28oKJ2BqQQu6JJOikif4tE6gVOPIUKF8 25 | 0FfcNezatn8yqFYS65GLJXvD120vqpv6SbWBl6fqKlhdp8rHv3wXbuqXqGpZDlnX 26 | viRwSyBcjOjzsStolOqLbwJrv/qgUxGd4BEXlNKiH4ZilDHU9cT9+5GEkhtwPyK0 27 | hww45/UA9ocQXbGHUMHqAYz+kBBRnc3E3ZPp+Ag6SqETieOMiTAHweX6nW/UpWLz 28 | fkg+/PQ0OUZg5w3dDeFoTN9H4QWGpNi6V68X5KmL0QgwDW75i7shLKSNrwPwB5Jj 29 | aU7y5oCv7WAHdDYT/4QMX2SHpay5rdgvdJvBRLcwWCHc/1b59jKii9njo9jYSeja 30 | vD0auOPBIBS2IMU/EJaU8PN4+DBl1tCcHNjCSXWVvyktt7X3Yvl63+r0YmV5NPoK 31 | vMYlfqjnaYC7hob63y3sqlyolX3hD8mP 32 | -----END CERTIFICATE----- -------------------------------------------------------------------------------- /cribl/master/groups/logs/local/cribl/auth/certs/splunk_server.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFhDCCA2wCCQDDpEaAOXt89DANBgkqhkiG9w0BAQUFADCBgzELMAkGA1UEBhMC 3 | VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28x 4 | EjAQBgNVBAoMCUNyaWJsIEluYzEgMB4GA1UECwwXTWt0ZyBEZXB0IChjbGllbnQg 5 | cGFzcykxETAPBgNVBAMMCGNyaWJsLmlvMB4XDTIwMDEyMTAwMTkyOVoXDTIwMDIy 6 | MDAwMTkyOVowgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYw 7 | FAYDVQQHDA1TYW4gRnJhbmNpc2NvMRIwEAYDVQQKDAlDcmlibCBJbmMxIDAeBgNV 8 | BAsMF01rdGcgRGVwdCAoY2xpZW50IHBhc3MpMREwDwYDVQQDDAhjcmlibC5pbzCC 9 | AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMDbfHP7Beud5ciHNy/O1t3M 10 | GC3XWZoxLMLq7QCFiu3oWwBjb0AyeqQK/8V4eG67P+AvhZ8vbdiVl6e9go6HIVQr 11 | UuldoBwF3Xp7vBLwKLNTifyd1kowK5W/PVTxOGDlnVWbDgLpn44ZoJZeUn3ByK10 12 | R3CMq6Q0F92hTXHscj884rgaql+x3yUrstmh9pgWQ9jZM8s2g3WHYC4nkHUbCS0C 13 | bY5oY3ftr/HO+c0fUwklgUz3qtmm1sqPXFe7dmz5YaLc8kLpH1ajbx8ZVUQ0NgMU 14 | 3JtM5XAQmQEEf7ZaElzdhiqnW7Gvin4pBrc9xooOcUuKZRUxpKhpAiUilNbqc6TE 15 | zM+ZXRhau9hUP4EtIJZ/LdLSRPWd7TpBxdAR4HvxzgKvF9zFxBUuaXIHRzWuNad+ 16 | 4pi8BD2uXRUfEsFmsRoZ5OjF++nOBtcoCDYP2IYBfYeGRkMit9j21/EIhSHGvTto 17 | PMU1SS4pAHZ91ft8uuLmf4d/I7KQP2Qdu8rB54OIaCV74YkEe7D5VVdS7qhC28W7 18 | yXqBl7znyPcgk7NH2eySIHjFCvVUPaovyr2fUmCkPdWEp+JsrrlJLBmnFERkLe1R 19 | pW71z93zT7aEqcC2oRv0+yJvY/7ReylNEgfW5iTd7zF/rCOttFUlYKfNTMR60Lx5 20 | 575ROGoptMROcSt1lqPXAgMBAAEwDQYJKoZIhvcNAQEFBQADggIBACDFWqTG/J5v 21 | Pf3vkC89cfXJ0wtfKEdPSjgt7FZbyHyr+Aicx1EDJS9WZqZFhKNPY2Yv+FfM+cVM 22 | 1aTlxf7SPLGYkUdIHlngS/vwhJJri60p8eA1FL/EuAYX/fBSWdzB6O4e5zIo9Ta+ 23 | 99m+ktRJ6IXHmKUlmEQh8wzNitGVqaIP9VHb3GhwuwtbL1iKXRbO55mI0fgOcI+F 24 | DOEhzyWbaMBKlD5Zov2iQnDMdyRsqaYe0upEtM43sM6B6F0Aahu4kcK6GxVkNBP7 25 | ZqMlgKxpeHyu8RPTMy5UZZPowulsjHfjuViDHB21/KHGJq0lNo0olx5P8LcUIR7V 26 | AZgX2MQwQj1mlfaNq20+omjASuMhli8nJZ7w4asqOhhYR+MAvDOBy9WZpN8vLUZO 27 | m/D/77m1Vtx0SDI0arH7+WMthBrserDy3Z5rAME7wdWeZKI6sS5PXw3Q8TFualfU 28 | y+7FwFHryoUTHFW7ajlu+IH5qtTlYqiUuJ+bvAiBGtbVCiRZGl2aU0E/sisxpARk 29 | wcZ8M1qyL9Xq/8L8B1OmYmYqHUsxXE8z3BYfMungBIy++hGIONbPPaCWS4wzzmJe 30 | 6jiahPeetc2cckeQB5lYqLBZKfx5ysE0EacvRUKKGOg4SevvEIWavk913Ki+uVPC 31 | 1PTK+JXTGdIAMWNA3ol99S4mukG34Pm3 32 | -----END CERTIFICATE----- -------------------------------------------------------------------------------- /universalforwarder/gogen/samples/external_ips.sample: -------------------------------------------------------------------------------- 1 | 12.130.60.4 2 | 12.130.60.5 3 | 125.17.14.100 4 | 128.241.220.82 5 | 130.253.37.97 6 | 131.178.233.243 7 | 141.146.8.66 8 | 12.130.60.4 9 | 12.130.60.5 10 | 125.17.14.100 11 | 128.241.220.82 12 | 130.253.37.97 13 | 131.178.233.243 14 | 141.146.8.66 15 | 12.130.60.4 16 | 12.130.60.5 17 | 125.17.14.100 18 | 128.241.220.82 19 | 130.253.37.97 20 | 131.178.233.243 21 | 141.146.8.66 22 | 12.130.60.4 23 | 12.130.60.5 24 | 125.17.14.100 25 | 128.241.220.82 26 | 130.253.37.97 27 | 131.178.233.243 28 | 141.146.8.66 29 | 12.130.60.4 30 | 12.130.60.5 31 | 125.17.14.100 32 | 128.241.220.82 33 | 130.253.37.97 34 | 131.178.233.243 35 | 141.146.8.66 36 | 12.130.60.4 37 | 12.130.60.5 38 | 125.17.14.100 39 | 128.241.220.82 40 | 130.253.37.97 41 | 131.178.233.243 42 | 141.146.8.66 43 | 12.130.60.4 44 | 12.130.60.5 45 | 125.17.14.100 46 | 128.241.220.82 47 | 130.253.37.97 48 | 131.178.233.243 49 | 141.146.8.66 50 | 12.130.60.4 51 | 12.130.60.5 52 | 125.17.14.100 53 | 128.241.220.82 54 | 130.253.37.97 55 | 131.178.233.243 56 | 141.146.8.66 57 | 12.130.60.4 58 | 12.130.60.5 59 | 125.17.14.100 60 | 128.241.220.82 61 | 130.253.37.97 62 | 131.178.233.243 63 | 141.146.8.66 64 | 12.130.60.4 65 | 12.130.60.5 66 | 125.17.14.100 67 | 128.241.220.82 68 | 130.253.37.97 69 | 131.178.233.243 70 | 141.146.8.66 71 | 12.130.60.4 72 | 12.130.60.5 73 | 125.17.14.100 74 | 128.241.220.82 75 | 130.253.37.97 76 | 131.178.233.243 77 | 141.146.8.66 78 | 12.130.60.4 79 | 12.130.60.5 80 | 125.17.14.100 81 | 128.241.220.82 82 | 130.253.37.97 83 | 131.178.233.243 84 | 141.146.8.66 85 | 12.130.60.4 86 | 12.130.60.5 87 | 125.17.14.100 88 | 128.241.220.82 89 | 130.253.37.97 90 | 131.178.233.243 91 | 141.146.8.66 92 | 142.162.221.28 93 | 142.233.200.21 94 | 194.215.205.19 95 | 201.122.42.235 96 | 201.28.109.162 97 | 201.3.120.132 98 | 201.42.223.29 99 | 203.92.58.136 100 | 212.235.92.150 101 | 212.27.63.151 102 | 217.132.169.69 103 | 59.162.167.100 104 | 74.125.19.106 105 | 81.11.191.113 106 | 82.245.228.36 107 | 84.34.159.23 108 | 86.212.199.60 109 | 86.9.190.90 110 | 87.194.216.51 111 | 89.167.143.32 112 | 90.205.111.169 113 | 92.1.170.135 114 | 1.16.0.0 115 | 1.19.11.11 116 | 27.1.0.0 117 | 27.1.11.11 118 | 27.35.0.0 119 | 27.35.11.11 120 | 27.96.128.0 121 | 27.96.191.11 122 | 27.101.0.0 123 | 27.101.11.11 124 | 27.102.0.0 125 | 27.102.11.11 126 | 27.160.0.0 127 | 27.175.11.11 128 | 27.176.0.0 129 | 193.33.170.23 130 | 194.146.236.22 131 | 194.8.74.23 132 | 195.216.243.24 133 | 195.69.160.22 134 | 195.69.252.22 135 | 195.80.144.22 136 | 200.6.134.23 137 | 202.164.25.24 138 | 203.223.0.20 139 | 217.197.192.20 140 | 62.216.64.19 141 | 64.66.0.20 142 | 69.80.0.18 143 | 87.240.128.18 144 | 89.11.192.18 145 | 91.199.80.24 146 | 91.205.40.22 147 | 91.208.184.24 148 | 91.214.92.22 149 | 94.229.0.20 150 | 94.229.0.21 -------------------------------------------------------------------------------- /cribl/master/groups/logs/local/cribl/auth/certs/splunk_server.key: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIJKgIBAAKCAgEA9aomHHgP5BsiAKUqkFzVX93Dr8mmKXDuGSUKdgmRmKAf8mHk 3 | 544fd2DwJ39XYa86cnbjq10R6PNUz1729G+0T1hy//ng8vFgCQZF6nlaoREY7js9 4 | cW0wDhMFmgQhCBQjpuFY1n1cBWI76Hz86kYzjOCvSNtbAjvB8zIFcBMXfa79cspY 5 | OgDPupjycJAUXSlHDol8K7Fr4xbQiHMBSdHfbln8osvNi7oSmkdEvcd03u44G5H7 6 | itJA0JFHAmz2ii6UlYJ75RH98rGP4ImWjok75Tw3iG8LEsXWG4gPBDnr/Ait0qf0 7 | l4oVlNdHl+O18e1uIQVEVgX+/TgDWCBw988w2qjjg3xmdMwAuKBmdsMYZBThJa+u 8 | BH0eGm8VviUOYz1groV8zYu0C6CyqloEQlwRGqQjHH7O3Uj/Ve/hzC0j6XEQHzJN 9 | Erx+EJRO0KdEfq+uoUbbMV60t8CE2guXRruQ8sdgDyCD6Xoh3Hxs+mMfTZuSeTOO 10 | LLrTVgFeDr9WXBgxisoyAHZvOBg0a7Qqn6uM+zPPu3lzyMet8UGqFEZan5D4hTc3 11 | PzhwmA+b0kd2Fv7Q4x4yWijbRNUx6oXDQTCcrbxnf3fLJo5gsW1XBPMMWrA9ZMV5 12 | ujQpT6ykypZYbXBfOf/ooFHnWvhgxmSVuEjUlUAe6mmKdteRzIHjtIKgOrcCAwEA 13 | AQKCAgEAowOlBn8lDFh017jB5cm0TUj68Ur918H4PPc3Wdw/oOegS1Zqbr0AZFcP 14 | BSaa9VcxkYMS0EOR/uJ5BKIffVQicgRfSzyk6JEDCPoAqvacDQUrZeope3rYyH4W 15 | 2Xyj7phuj+445RuKVIg6+Kr3qP2sd28g4VetrG265YXr1dLVY7EavXFH2jVvooKb 16 | XdY9rRQW8q6IlvXEgYxCFEk8MZ/yg2dzHRPf8Tgn3/gqxUP1aXjqAmF8aUHbgIrm 17 | c9WaQ1dlgVB0piyqNsFcl8K1BSBLfnHW59HHp01gJiTC0isdTMD1lzOcOnKGn527 18 | BC82LLNAwOidz/dqnNzuWywrykTSRPmvwnV/qtBSJruxh7Gdzq9bu3+ANDeTMUyc 19 | SViLssHBdaxVmrIk5d+x9mgKgpuUJM348X5YimlS+2+Ckhbd5HVkR17Ggqlm0NFB 20 | VWfHUegPtKG/FgNje1fOHOtXJBaWhtUaAFuzfkV1eYgz5OvFYXNyrHoOqh+3FVWD 21 | KxxyF8fZQ6gO5KQkXh3Qma64LrtlhyZjcpYzMXwvQxw0T54+K86DZdPC90R0ZGP7 22 | 9/y7btND+zmJnqLnFZEvD2tPH1cuTRxmukndoigEEn3cAo3IeZeTQKzRmbrqUAJU 23 | 0ZhiRqwFb55rtee0qlrMcdQzkqpx3Ct7ArHkSG82cdsRYHGv1AECggEBAP7Zc8TE 24 | dChSYfQtsLmXfdLkLG+o68gYd3rkCpI7WnISqP1shTNKigwLu2Eh/7lGWGeU3Fd9 25 | thEcIXtokmmXVNXwzOm38Wi9Bpe1N4YYHx7pSRpEIZtywUazm2idjy9oPrSLEQlg 26 | v+dz7jNFSgp19+pXp/7RJHEuJ9CcypYXfiYRYtBfV/sHl8AIhYfASEgpE4o92S+r 27 | ck3LnygrZ7LLD/2QZ8CcuPM9B1VCKbvVV8EuYrjYaUSiZBgZz9VK7iz2ZNJbxswe 28 | Kbs6XTguILgFZo4B8IwKoQidtl9MyWddVrxpWXG0CIV6JunVQOf75uJP2n0GFnXq 29 | K0nMlgv0MqDaLscCggEBAPbGFMW/k0nYNdBvYc3BssEURKCuVBff6Nd7OfMl2i/H 30 | Ag8/5lhqHkfX+AyoXeoNQJ93FXGqZA1Uk/Ihbxy+hu30lGJ/FP08FMVMs9M0suyw 31 | E+FQF9klttVPtbo3OXHRgGQEJeXa3MIIi2c3PyK51XOzkLUMsJv1HYoWmI4Kwbmz 32 | lco+VUwR5yj9zC6SGm2hrTJEULZwsuCLG5eRQOfe/tR+madXNcqAXqpWGl29H5oD 33 | /m690z47LsVa+TEjThRVorSehPVgoByULuX1FheMR2UHginhNtwHG5UV9NyLY3mu 34 | gliL4PYu7wVebP6MBrjPqdL46MkDOYsjxSUaq98KZJECggEAEpN1Hc2YDexbWXoP 35 | HKgPMtUQ7B6q+Q3Xf6ypnJkY8aGskbRcTS3MvC4KvXzF8BJRlVNDcFkocTzUr/Mi 36 | YPH37BQ+S3bt8M1+coZyAqM1eYJVosV+kZ8euXGUDV8WtcTqdSyB1GYp9sv7e988 37 | E2Ef7gPvqeJCvsE3g7w6BBC4UDwKMNgSSKj4BbZZTVjVq/TaiMQTVacwkL0b38iy 38 | KVUl2DyzY1XJIWm8ZBmLgzZ8zAb+iSy1F5yioSMYhBqPG9Xl6XNpHS3BqvUJIHQ0 39 | TFWQcR9xEjQgIsmkJnQpZhBmpxsiuuf9iwUpWvgBYCd7X9mkOmK8NmIYP6va8Aof 40 | upvMtwKCAQEAygDFmkZC/EzHaHL0nah0egbsUpfBcLWydUmC213d6ARA1FjbZv6f 41 | APJyM3JTRjdI8gBaBmyTcDIO1UK3INF5xCnUmXgrp0vaONOb1EUsPgG4lFSq4O81 42 | ZhHU0bVJCbmUHssidrCcyxyReJFJ1lRGvWp9Byd3HoMchiAPCx8VC71M3Xv++MEi 43 | 93QiAvFIPvv8ucwgQeepFZPppz2Y4vWwpiNoBgqmlrhURZ0sAhXBW6LvUJmE5Uku 44 | 9RCOMcITtSOQh8fHUNGi3yIR7d2dEvOascHetAeOj7glxPlvMmXLrRzDyFXgdcVf 45 | lYaBNDFNg1VCT9e/PmSsYxCJ3eCiVna8cQKCAQEA17Ym8ZhlrCARy/aaTNVoL0q2 46 | VeBI8xYmctFqOrad8Xyha4aZD8M84FJlUcRSG1p8fqCSoEKX2zLriaEDQL5221QC 47 | J756+Eq0QQ5TEeKrc+LhEecAwlnLMmylfe2clUIqi2WBqh4wPtTZULMoiyK4QBdl 48 | ZJrq5/MU+Z7Ta8zHIUQACgPRdZqz3X/uIqUc/VK/zShzI9n7sp7zBqwYbTN61LCo 49 | nQc9ARZArl2FkIns/Aks+K0AEPnDHgEHrv/XGHSv4v4nVvBx5BZimqyLyNUbpg7/ 50 | YGNdFMAz6mkXuWGyZVtVINK5mIV4UJ2zSKEXQaF6ES2sqKZm8a3GWrptbkt3iw== 51 | -----END RSA PRIVATE KEY----- -------------------------------------------------------------------------------- /splunk/cribldemo/default/data/ui/views/troubleshooting.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 |
4 | 5 | 6 | 7 | -24h@h 8 | now 9 | 10 | 11 |
12 | 13 | 14 | 15 | Cribl: Functions 16 | 17 | index=_internal source=cribl message="loaded function" | rex field=file "functions\/(?<function>[^\/]+)\/" | stats latest(_time) as _time by function message | eval timeAgo=tostring((now()-_time), "duration") | sort function 18 | $field1.earliest$ 19 | $field1.latest$ 20 | 1 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 |
36 | 37 | 38 | 39 | Cribl: Messages 40 | 41 | index=_internal source=cribl | stats latest(_time) as _time count by message | eval timeAgo=tostring((now()-_time), "duration") | sort - count | fields message count _time * 42 | $field1.earliest$ 43 | $field1.latest$ 44 | 1 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 |
63 | 64 | 65 | 66 | 67 | 68 | Cribl: Raw Events 69 | 70 | index=_internal source=cribl 71 | $field1.earliest$ 72 | $field1.latest$ 73 | 1 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 |
-------------------------------------------------------------------------------- /universalforwarder/gogen/samples/shopping.yml: -------------------------------------------------------------------------------- 1 | begin: now 2 | count: 10 3 | randomizeCount: 0.5 4 | earliest: -3s 5 | interval: 1 6 | latest: now 7 | lines: 8 | - _raw: $externalIP$ - - [$ts$] "$method$ $uri$&JSESSIONID=$sessionId$ HTTP/1.1" $httpstatus$ $size$ "$referrerUri$" "$userAgent$" $timeTaken$ 9 | host: $webHost$ 10 | index: cribl 11 | source: /opt/apache/log/access_combined.log 12 | sourcetype: access_combined 13 | name: shoppingapache 14 | # rater: partial_outage 15 | singlePass: false 16 | generator: timeTaken 17 | tokens: 18 | - format: template 19 | name: ts 20 | replacement: '02/Jan/2006:15:04:05 -0700' 21 | type: gotimestamp 22 | - format: template 23 | name: method 24 | type: weightedChoice 25 | weightedChoice: 26 | - weight: 4 27 | choice: GET 28 | - weight: 1 29 | choice: POST 30 | - format: template 31 | name: uri 32 | type: weightedChoice 33 | weightedChoice: 34 | - weight: 2 35 | choice: "/cart.do?action=$action$&itemId=$itemId$&product_id=$productId$" 36 | - weight: 2 37 | choice: "/product.screen?product_id=$productId$" 38 | - weight: 3 39 | choice: "/category.screen?category_id=$catId$" 40 | - weight: 1 41 | choice: "/oldlink?item_id=$itemId$" 42 | - weight: 5 43 | choice: "/static/$staticFile$?" 44 | - format: template 45 | group: 3 46 | name: webHost 47 | sample: webhosts.csv 48 | srcField: host 49 | field: host 50 | type: fieldChoice 51 | # - format: template 52 | # group: 3 53 | # name: webIP 54 | # sample: webhosts.csv 55 | # srcField: ip 56 | # type: fieldChoice 57 | - format: template 58 | name: externalIP 59 | sample: external_ips.sample 60 | type: choice 61 | - weightedChoice: 62 | - weight: 2 63 | choice: "purchase" 64 | - weight: 4 65 | choice: "addtocart" 66 | - weight: 1 67 | choice: "remove" 68 | - weight: 6 69 | choice: "view" 70 | - weight: 2 71 | choice: "changequantity" 72 | format: template 73 | name: action 74 | type: weightedChoice 75 | - format: template 76 | name: itemId 77 | sample: items.sample 78 | type: choice 79 | - format: template 80 | name: productId 81 | sample: products.sample 82 | type: choice 83 | - format: template 84 | name: catId 85 | sample: categories.sample 86 | type: choice 87 | - format: template 88 | name: httpstatus 89 | type: weightedChoice 90 | weightedChoice: 91 | - weight: 9 92 | choice: "200" 93 | - weight: 2 94 | choice: "503" 95 | - weight: 1 96 | choice: "400" 97 | - weight: 1 98 | choice: "404" 99 | - weight: 1 100 | choice: "406" 101 | - format: template 102 | name: referrerUri 103 | type: weightedChoice 104 | weightedChoice: 105 | - weight: 2 106 | choice: "/cart.do?action=$referrerAction$&itemId=$referrerItemId$&product_id=$referrerProductId$" 107 | - weight: 2 108 | choice: "/product.screen?product_id=$referrerProductId$" 109 | - weight: 3 110 | choice: "/category.screen?category_id=$referrerCatId$" 111 | - weight: 1 112 | choice: "/oldlink?item_id=$referrerItemId$" 113 | - choice: 114 | - "purchase" 115 | - "addtocart" 116 | - "remove" 117 | - "view" 118 | - "changequantity" 119 | format: template 120 | name: referrerAction 121 | type: choice 122 | - format: template 123 | name: referrerItemId 124 | sample: items.sample 125 | type: choice 126 | - format: template 127 | name: referrerProductId 128 | sample: products.sample 129 | type: choice 130 | - format: template 131 | name: referrerCatId 132 | sample: categories.sample 133 | type: choice 134 | - format: template 135 | name: userAgent 136 | sample: useragents.sample 137 | type: choice 138 | - format: template 139 | name: size 140 | lower: 200 141 | replacement: int 142 | type: random 143 | upper: 4000 144 | - format: template 145 | name: sessionIdForGenerator 146 | sample: session.csv 147 | type: fieldChoice 148 | srcField: sessionId 149 | type: fieldChoice 150 | - format: template 151 | name: staticFile 152 | type: weightedChoice 153 | weightedChoice: 154 | - weight: 2 155 | choice: jquery.js 156 | - weight: 2 157 | choice: app.js 158 | - weight: 5 159 | choice: $img$.jpg 160 | - format: template 161 | name: img 162 | type: random 163 | replacement: int 164 | lower: 1 165 | upper: 10000 166 | -------------------------------------------------------------------------------- /splunk/cribldemo/default/data/ui/views/start.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |

Welcome To Cribl Beta!

9 |
10 |
11 | Cribl helps you process machine data - logs, instrumentation data, application data, metrics, etc. - in real-time and deliver them to your analysis platform of choice. 12 | It helps you enrich your logs with information from other systems, redact sensitive information, encrypt at field level, sample, and filter unneeded junk. 13 |
14 |
15 |

Contact us:

16 | 23 | 24 | 25 | 26 | 27 |

How Does Cribl Work?

28 |
29 |

In a Splunk environment, Cribl is deployed as a Splunk app. Depending on your architecture, 30 | it can reside either on a heavy forwarder (HF) or on an indexer (IDX). It will receive events from the local Splunk, process it and then send it back to its indexing queue.

31 |

Deployment and Configuration

32 |
    33 |
  • Single Server: Install the app on that instance.
    • 34 |
  • Distributed Environment: Install the app on a HF.
    • 35 |
36 |

Configuration is done via _INDEX_AND_FORWARD_ROUTING settings to achieve the necessary data routing. By default all data except internal indexes are routed out to Cribl and back in to Splunk.

37 | 38 |

Data Flow Architecture

39 |
40 | 41 |
    42 |
  • Routes: A route finds the right pipeline to send events to.
    • 43 |
  • Pipelines: A pipeline is a series of functions executed in order.
    • 44 |
  • Functions: A function is code that processes an event.
    • 45 |
46 | 47 | 48 | 49 | 50 |

What's In The Demo?

51 |
52 |

This instance generates sample live data which is passed thru and transformed by Cribl in real-time. There is a number of dashboards for each use-case, 53 | including PII Obfuscation, Smart Sampling, Index-time Fields and Index-time Lookups. 54 |

55 |

The Overview page lists all the dashboards and their respective descriptions.

56 |
57 |

58 | Go To Cribl Management UI 62 |

(same credentials as here)

63 |

64 |
65 |

Walkthrough of processing data in real-time with Cribl.

66 |
67 |