Skip to main content
Version: 2.0.0

Cribl Autoreplay

Logs can be discovered and replay in an automated fashing using criblautoreplay. A search result triggers the execution of criblautoreplay and can define the arguments used. This allows analysts to have access to the full logs of a system while reviewing notables.

Arguments:

  • Index: index for the auto replay, supports * but should not be used
  • Host: host for the auto replay, supports * but should not be used
  • Sourcetype: sourcetype for the auto replay, supports * but should not be used
  • Earliest Time: earliest time as epoch time
  • Latest Time: latest time as epoch time
  • Cribl Replay Collector Configuration: which Cribl Replay Collector Configuration should be used to automatically replay files