Skip to main content

Connecting Sources and Destinations

TL;DR

Data can be routed through Stream in two main ways: QuickConnect and Data Routes. Here we explore the simpler and more visual of the two options: QuickConnect. Through QuickConnect, users can, well, quickly connect Sources and Destinations. Through the UI, users can also select what transformations are also performed. A notable difference between Data Routes and QuickConnect is that Data Routes cascade (i.e. data flows through every Data Route until it gets stopped by a Final flag) while QuickConnections run parallel to each other.

Routing is the nexus of Stream. All data coming in must get routed somewhere. All Sources need to be connected (read: routed) to Destinations. Stream doesn’t restrict you to a one-to-one relationship between Sources and Destinations. If you need to send data from a source to two or more places, so be it.

Navigate to QuickConnect

At the top, select Routing and click QuickConnect

In the QuickConnect UI, Cribl has simplified this process. Users click and drag a data Source to a data Destination and then select what they want in the middle (Pipeline or Pack, more on both later). That's it. There's not much more to read, but you can read more over on our Cribl Blog.

Let's "do a QuickConnect" as the kids say.

Do a QuickConnect
  1. On the left side of the QuickConnect UI, click Add Source
  2. Find Datagen hover over it, then click Select Existing
  3. Click palo_traffic
  4. In the resulting pop-up, click Yes
  5. Click + and drag to generic_siem and release
  6. Leave Passthru selected and click Save
  7. Commit & Deploy

That's it! Now data is coming into Stream and passing through directly to your SIEM. Let's look at what we can do inside of Stream to further optimize and enrich your security and IT data.