Cribl - Change values to lowerCase

Some logs (e.g. Microsoft Azure) sometimes are not fully normalized to all lowercase characters. You can use Cribl to adjust those values by either use the eval or mask function:


Eval

_raw.toLowerCase()

Cribl Eval _raw:toLowerCase

Cribl eval _raw:toLowerCase

https://docs.cribl.io/stream/eval-function/ 

"The Eval Function adds or removes fields from events. (In Splunk, these are index-time fields.)"


Mask

You can also use Cribls mask function to hit all fields:

Regex = (.*)        <---- 1st Capturing Group (.*), see https://regex101.com/


g1.toLowerCase

Cribl Mask g1.toLowerCase



https://docs.cribl.io/stream/mask-function/

"The Mask Function masks, or replaces, patterns in events. This is especially useful for redacting PII (personally identifiable information) and other sensitive data."



at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Nextcloud v31 on Ubuntu 22.04 - update php v8.1 to v8.4

If you are running HanssonIT Nextcloud VM with Ubuntu 22.04 and your Nextcloud has version 31 and you want to update to version 32, you are ...