criblio / cribl-demo Goto Github PK

View Code? Open in Web Editor NEW

32.0 32.0 9.0 431.76 MB

Cribl Demo Content

Dockerfile 1.32% Shell 6.78% Lua 3.12% JavaScript 74.90% Python 10.10% Mustache 3.78%

cribl-demo's People

Contributors

Stargazers

Watchers

Forkers

bhattchaitanya weeb-cribl floscha cstarford etsangsplk raghavnaidum nicktank ssachi-juul dmdv

cribl-demo's Issues

index-time lookups dns panel b0rk3d

See dns panel in attached screenshot - this relates to #6

demo_dns function referenced but missing

It is referenced in the enrich pipeline, but it is missing in functions

Splunk in Docker

Hey there,

I found your Git repo while doing a Google Search on cribl while getting a demo at work and found it interesting that you implemented Splunk in Docker, because so have I!

My project is over at https://github.com/dmuth/splunk-lab and I see that yours is more just installing just the universal forwarder whereas mine is more about creating a full blown install of Splunk with some apps installed.

That said, if you're interested in comparing notes, there might be an opportunity for us save each other some effort. :-) Do let me know if you're interested. Thanks!

-- Doug

Master node differs from worker node version in distributed-demo branch

For some reason that i can't find in the code, the worker nodes are coming up as cribl 2, but the master node is coming up as cribl 1.7.2

docker-compose logs:

cribl-w1_1       | {"time":"2019-10-19T09:04:45.299Z","channel":"cribl","cid":"api","level":"info","message":"API server started","VERSION":"42.0-260d8083","BRANCH":"master","TIMESTAMP":"2019-10-18T17:47:45.445Z"}

cribl_1          | {"time":"2019-10-19T09:04:46.969Z","channel":"cribl","level":"info","message":"API server started","VERSION":"1.7.2-b7b4759d","BRANCH":"undefined","TIMESTAMP":"2019-10-14T16:15:30.329Z"}

From what I can tell by the Dockerfile and the docker-compose file, the Dockerfile is using cribl/cribl:next and the docker-compose file is using context: cribl

Any ideas how this could be happening?
I've done a system prune and everything and removed all volumes also so it -should- be a clean system.

Create ability to build different configurations

Similar to training build I'm putting in now, it would be nice to be able to create lighter configurations of the demo with a build system.

incorrect sandbox url in email

The sandbox URL sent in the email uses https:// while the settings in cribl.yml has SSL disabled

The dashboards inside Splunk's dashboards in demo app use https:// as well

M1 macs support

Hey, can you switch to ARM64 container images instead of x86-64 for the M1 macs? It runs much more faster using native platform docker images compared to x86-64.
Log is here:
https://pastebin.com/gcGEkW3Y

Update branding on Splunk app

Assets need refresh.

E.g: https://github.com/criblio/cribl-demo/blob/master/splunk/cribldemo/appserver/static/images/cribl-logo.png

Unable to build from distributed-demo branch

the cribl Dockerfile seems to be referring to a new entrypoint.sh which does not exist. This configuration is different to the master branch.

docker-compose up -d
WARNING: The ELK_VERSION variable is not set. Defaulting to a blank string.
Building cribl-w0
Step 1/11 : FROM cribl/cribl:next
 ---> 54ac8ddaf089
Step 2/11 : COPY http_status.csv /opt/cribl/data/lookups/http_status.csv
 ---> Using cache
 ---> a15a32040c38
Step 3/11 : COPY scripts/ /opt/cribl/scripts/
 ---> Using cache
 ---> ee2c6128a2aa
Step 4/11 : ADD http://cdn.cribl.io/dl/scope/latest/linux/libwrap.so /usr/lib/libwrap.so

 ---> Using cache
 ---> e077babd1740
Step 5/11 : RUN chmod 755 /usr/lib/libwrap.so
 ---> Using cache
 ---> 90f096c1f7ad
Step 6/11 : ENV SCOPE_OUT_DEST=udp://localhost:8125
 ---> Using cache
 ---> 22b72b4d71a4
Step 7/11 : ENV SCOPE_LOG_LEVEL=info
 ---> Using cache
 ---> 726464b6b62c
Step 8/11 : ENV SCOPE_LOG_DEST=file:///tmp/scope.log
 ---> Using cache
 ---> 19005a1428f0
Step 9/11 : ENV SCOPE_OUT_VERBOSITY=4
 ---> Using cache
 ---> 71109b796423
Step 10/11 : ENV GIT_DISCOVERY_ACROSS_FILESYSTEM=1
 ---> Using cache
 ---> bd40e1790a4e
Step 11/11 : ADD entrypoint.sh /sbin/entrypoint.sh
ERROR: Service 'cribl-w0' failed to build: ADD failed: stat /var/lib/docker/tmp/docker-builder896508838/entrypoint.sh: no such file or directory

Mac os X issue

I followed the proecudure and start Mac Os X steps gives below error:

parsing skaffold config: failed to apply profiles to config "cribl-demo" defined in file "/Users/tulpar/Project/cribl-demo/skaffold.yaml": applying profile "dev": invalid path: /deploy/kubectl/manifests/12. There's an issue with one of the profiles defined in config "cribl-demo" in file "/Users/tulpar/Project/cribl-demo/skaffold.yaml"; refer to the documentation on how to author valid profiles: https://skaffold.dev/docs/environment/profiles/.

cribl demo license expired

FYI the Cribl demo license expired.

workaround:

download newest cribl image from https://cribl.io/download/
copy license.yml from '../cribl/default/cribl' to '../cribl-demo/cribl/master/local/cribl'

Update the demo to utilize schema changes

AppScope 1.0 defined a baseline for schema. Several changes were made in order to standardize the schema. We need to make changes and validate as needed.

Scope no such file or directory

Hi all,

after updating to the latest version on master branch (version tag v1.7-118-gec1ea57) I am getting the following error when executing the start.sh script:

./start.sh: line 9: ./scope: No such file or directory
error: no objects passed to apply

Am I missing something or is that a bug?

Kind regards
Chris