Home - jpvlsmv/cc-template-pack GitHub Wiki

About

The cc-template-pack is a structured example of how a pack can be developed and maintained by the Cribl community, suitable for either publication or for private use. It strives to provide flexible structure, as well as being opinionated about how to "best" leverage Stream's capabilities

Consider the following as a broad structure for the flow through your pack:

  • There will be a Stream data source, configured outside of your pack. This might be configured to use a preprocessing pipeline from your pack.
  • There will be a route configured outside of your pack sending that source through your pack's routing and defining the default destination.
  • The destination will be configured outside of your pack. This might be configured to use a post-processing pipeline from your pack.
  • The pack will define a route and pipeline for each distinct data type to handle

Outside the pack

    Source __inputId='inputtype:name'
    Route Filter='__inputId.equals('inputtype:name') Pipeline='pack:yourpack' Output='outtype:name'

Inside the pack

    Route Filter='_raw.includes("pattern1") Pipeline='mangle_data1'
    Route Filter='_raw.includes("pattern2") Pipeline='mangle_data2'
    Route Filter='_raw.includes("pattern3") Pipeline='mangle_data3'
    Route Filter='_raw.includes("pattern4") Pipeline='mangle_data4'

    Pipeline mangle_data1-mangle_data4
    Pipeline preproc_style1
    Pipeline outproc_as_structured

Getting Started

Follow the Getting Started guide or watch the demonstration video at https://youtu.be/FpkJrzedv_M

Then, import your new pack into your worker group, make your changes and export the pack back into your repository.

Features

  • Packs created with cc-template-pack can create a release .CRBL file, ready to submit to the Packs dispensary
  • Github actions are defined for common pack-management tasks, such as creating a release or pulling changes back from a deployed pack
  • Good ideas are packaged and where possible automated here

Workflow

How are cc-template updates done?

When cc-template-pack improvements are ready for release, I will create a pull request to bring a set of them into the main branch. I'll create a Release candidate based on that PR, and eventually a full Release after it is merged. If you have started your pack with the git history of cc-template-pack, you will be able to easily git add remote template https://github.com/jpvlsmv/cc-template-pack ; git merge template/main to bring in all the latest functionality without breaking your customized content.

TODO: test that

TODO: What to do to release your pack based on this

Individual files

  • README-newpack.md
  • package.json
  • LICENSE
  • data
  • default
    • pack.yml
    • parsers.yml
    • regexes.yml
    • vars.yml
    • samples.yml
    • schemas.yml
    • grok-patters
      • {grok_name}
    • pipelines
      • route.yml
        • {pipeline_name}
          • conf.yml
    • schemas
      • {schema_name.json}
    • functions
      • {function_name}