Docs
Support

Destinations

CrowdStrike LogScale

Send events to CrowdStrike LogScale.

The LogScale destination connects Streamfold to CrowdStrike Falcon LogScale, formerly known as Humio. LogScale allows you to search large amounts of log data quickly with real-time live tail.

Overview

The LogScale destination connects Streamfold to CrowdStrike Falcon LogScale, formerly known as Humio. When you add a LogScale destination you select the repository in LogScale that you wish to send events to. You can add multiple LogScale destinations for different LogScale repositories.

Streamfold uses the Bulk API endpoint, designed for the Filebeat log shippers, to send events to LogScale. Events are encoded to JSON when they are submitted to LogScale.

Configuration

Configuring the LogScale destination is simple and requires just two inputs to get started.

  • Base URL: This is the base URL for your LogScale installation. For example, if you are using the community edition you should set this to https://cloud.community.humio.com. If you run LogScale on-premise, use your on-premise installation URL.
  • Ingest token: Set this to an ingest token associated with the repository you want to send events to. When you create the token make sure to select the built-in json parser. See the section below for more details on how parsing works.

Parsing and timestamps

Streamfold emits JSON encoded events to the Bulk API endpoint of LogScale. When you create the ingest token for the repository in LogSacle you should select the built-in json parser or a json-compatible custom parser. Additional parsing of embedded fields can be enabled if necessary for your traffic.

By default LogScale will use the top-level field of @timestamp in the event as the timestamp of the incoming event. You can set this field explicitly using a function if your incoming event data does not contain it. Streamfold will set this field to the internal timestamp of the event if it does not exist when the event is published to the destination. You can change which field LogScale will use to parse the timestamp by using the parseTimestamp() function. See the timestamp parsing documentation for more information.

Previous
Checkly
Next
Datadog