Skip to main content

Packs: the Easy Button of Stream

TL;DR

Packs are easy ways to share Pipelines, Data Routes, and Knowledge objects between Stream instances. We at Cribl have curated some Packs for the most common use cases we come across. These curated Packs are published to GitHub on what we call our Dispensary where they can be directly copied into Stream using Add from Dispensary.

It is also possible for users to share their own Packs across Stream instances if, say, they built a Pipeline in a test environment and wanted to move it into production.

As it turns out, there are some common use cases for Stream; for example, reducing firewall logs volume, pruning Windows event logs, cleaning syslog data, etc. Because there are common use cases, we think it would be nice if you didn’t have to spend hours reinventing the wheel, so to speak. Hence, we preconfigured Packs.

Packs are Data Routes, Pipelines, and Knowledge resources that are bundled (packed) together to make them easy to share / use across multiple Stream instances. Some Packs are curated by us at Cribl and published to a public repository called, The Dispensary.

Say, for example, you needed to prune and streamline your Palo Alto logs but didn’t know where to start. Well, you could use the Add from Dispensary feature and grab the Palo Alto Networks Pack (made by Cribl) from the Dispensary. Actually, let's do that!

Add a new Pack
  1. In Stream's top nav – select the Processing submenu and click Packs
  2. Click Add Pack
  3. Click Add from Dispensary
  4. In the resulting drawer, search for Palo Alto Networks and click the appropriate tile: PAN-Chiclet
  5. Click + Add Pack
  6. Click the X at the top right to close the Palo Alto Networks Pack page
  7. Click the X at the top right to close the Dispensary

If you would like to explore here, go ahead. There are eight unique Data Routes included in this Pack, each with their own Pipelines. We'll be moving into the Pipelines on the next page, but in the meantime, there is a README under the Settings sub-tab.

note

When navigating through a Pack, be aware of the sub-nav bar that exists below the top nav. In order to see the Pipelines inside a Pack you need to click the Pipelines page in the sub-nav not in the top nav.

One other thing to point out about Packs is that they don’t need to come from Cribl! A great example of this is creating some Pipelines and Routes in a test environment and then moving them to production by wrapping them up in a Pack. We cover this scenario in a later course as well, having a security expert create a Pack using their expertise and having you deploy it in production. Easy peasy lemon squeezy.

Let's learn about Pipelines!