Skip to main content

Putting It All Together (Regex)

In this second Lookup implementation, we:

  • Uploaded sample data via the Sample Data > Import Data options.
  • Used the Lookup Function, with its Regex match mode, to match events with varied structures.
  • Used the Eval Function to route interleaved events into different indexes.

To sum up: We coupled multiple Functions together to untangle similarly – but not identically – structured events, and to route them for more efficient searching in popular SIEMs.

Customers who use middle layer transformers to assign different sourcetypes to interleaved events could, in some cases, replace their environment's heavy forwarders with Stream instances that are less process intensive, and enjoy significant return on their Cribl investment.