Skip to main content

Layin' by the Spool

Cloudy with a chance of Cribl

This feature page was published on a previous version of the What's New with Cribl sandbox; therefore, the instructions are no longer valid.

TL;DR

Cribl Edge plus Cribl Search is an amazing combination. Cribl Search allows users to search certain data on their Edge nodes out of the box. Disk Spooling allows users to make certain data instantly searchable for a certain amount of time. No need to ship it all the way to your SIEM.

Cribl Edge deployed by a Cribl.Cloud Leader allows for some nifty features in combination with Cribl Search. Namely, system logs are searchable out of the box (read: no set up required). That alone is amazing. However, there are other data that users want to be able to search in Search without invoking their SIEM and its costly storage solution. With that in mind, we created the Disk Spool Destination.

You know what? The best way to learn is by doing. Let's do it!

Create a Disk Spool Destination
  1. At the top left of the Cribl UI, click Stream and in the resulting drop down click Edge
  2. Click into the default_fleet at the top left
  3. Click into the Collect submenu up top
  4. On the right-hand side, click Add Destination
  5. Hover over Disk Spool and click Add New
  6. For Output_ID enter LL_Spool_J

Before we hit save here. Go ahead and check out all the options we have. (Or read the Disk Spool Destination docs)

Finish the Job
  1. Click Save
  2. Click and drag the + from Cribl Internal Source on the left-hand side to the new Disk Spool Destination
  3. In the resulting pop-up, ensure Passthru is selected and click Save
  4. Repeat the previous two steps for the Journal Files Source (connect it to the Disk Spool Destination)
  5. In the top right, click Commit
  6. In the resulting Git Changes modal, type in a meaningful commit message
  7. Click Commit and Deploy

Now the tough part here is actually visualizing the fruits of our labor. Cribl Search is, at the time of writing this, a cloud only product. So you'll have to take our word for it. Alternatively, you can try this by installing Cribl Edge on your own machine and searching with Cribl Search in your own Cribl.Cloud Org.

Now let's get into our fun new Beta feature: Email Notifications!