Capturing Data

Sample Data Preview

Cribl Stream allows for visual inspection of events as they make their trip through a Pipeline. It helps you shape and control events before they're delivered to a Destination, as well as assisting with troubleshooting Stream Functions.

Preview works by taking a set of Sample events, passing them through the Pipeline, and displaying the result in a separate pane. Any time a Function is modified, added, or removed, the Pipeline changes, and so does its displayed output.

While you're in a Pipeline, you can add samples through one of the supported options: Paste, Attach, or Capture Data. The Paste and Attach options work with content that needs to be broken into events, while the Capture Data option works with events only. We're going to start out by capturing a bit of data to work with.

Steps - Running a Data Capture

important

1. Make sure you are in the XML Pipeline.
2. Make sure Sample Data has focus in the right pane.
   If you've collapsed the right pane, drag the divider back toward the left.
3. Click Capture Data.
4. In the Capture Sample Data modal's Filter Expression field, if this is not already present, paste in the following expression:
   

   sourcetype=='XmlWinEventLog:Security'
5. Click Capture, accept the defaults, and click Start.
6. Once the capture is complete, you should see a number of events in the right pane (like the image below).
7. Click Save as Sample File.
8. Note the default File Name in the SAMPLE FILE SETTINGS pop-up:. (You can change it to something more descriptive if you like.)
9. Select Save.
10. In the right Preview pane, toggle the OUT button to IN.

You should see something like this in the right pane:.

Now that we've got some Windows XML sample data to work with, let's add more Functions to our Pipeline.