Skip to main content
Version: 1.0.0

Cribl Autoreplay

Logs can be discovered and replay in an automated fashing using criblautoreplay. A search result triggers the execution of criblautoreplay and can define the arguments used. This allows analysts to have access to the full logs of a system while reviewing notables. The action leverages the cribldiscovey and criblreplay modular inputs.

Arguments:

  • Index: index for the auto replay, supports * but should not be used
  • Host: host for the auto replay, supports * but should not be used
  • Sourcetype: sourcetype for the auto replay, supports * but should not be used
  • Earliest Time: earliest time as epoch time
  • Latest Time: latest time as epoch time
  • REStream Configuration: which REStream Configuration should be used to automatically replay files