Skip to main content

How Event Breaking Works in Cribl

What Is an Event Breaker?

Simply, Event Breakers take streams of data and convert them into discrete events. This is useful in Sources where the event structure is not defined by a standard, RFC, or some other documentation. Applying one or more of Cribl Stream/Edge's built-in Event Breakers give you the flexibility to break incoming streams of data into discrete events.

Where Can You Configure Event Breakers?

You can find Event Breakers in a supported Source's configuration modal. When applied to Sources, Cribl Stream and Edge apply Event Breakers before setting any custom Fields. The diagram below illustrates how Cribl Stream and Edge process data.

event_processing_order.png

However, not all Sources support configuring custom Event Breakers. Sources like Syslog, HTTP (Bulk, HEC, etc.), and TCP JSON ship with a predefined structure that is not user-configurable. Later in this course, we'll discuss how you can use the Event Breaker Function to process events from these Sources.

What Can't an Event Breaker Do?

It's not possible to un-break events with an Event Breaker. If you are receiving events from a data stream that's already broken, you'll need to fix the data upstream.

Why Are Event Breakers So important?

In the next module, we'll discuss why event breaking is critical to proper event processing, and why Event Breakers need to be defined correctly.