Cribl and PowerShell

We use Cribl at work and my colleague had a requirement where we wanted to lookup users based on certain properties and filter them accordingly. Cribl has something called Lookup which can do that – it can lookup CSV files (and a few others) to enrich information.

Uploading the CSV file to Cribl is easy – do via the GUI – but we wanted a way to keep it up to date as the contents change pretty regularly. Enter automation! And since I am a PoSH kid, that’s how I set about doing it.

Here are some useful docs I came across while doing this:

I am not too familiar with Cribl, so what follows is going to be kind of vague. We use Cribl cloud. There’s a leader node and some worker nodes, and from what I understand the worker nodes are where I must update the lookups.

Authentication

First things first is the authentication. A colleagues with access to Cribl generated a client id and secret for me. I assume they followed the steps here. Armed with those, what I had to do was generate a token (valid for 24 hours) so I can call the API.

That’s it, straight forward! Now you have the headers to use in all subsequent calls.

Next you need your Cribl instance URL.

Here’s some of the things I did.

Getting a list of worker groups

Getting a list of lookup across all worker groups

I get the worker groups, and then call an API endpoint against each of them to get the list of lookups. Key thing is the URL varies per worker group.

Uploading a lookup file

This only uploads the file to the worker group. It does not actually create or update it. That’s the next step.

By the way, $lookupFileName would be something like UserMappings.csv. It has to end with CSV for a few other extensions.

It’s important to capture the response as it contains a temporary file name. We need that in the next step as the creation or updating of the lookup is based on this temporary name.

Creating or Updating a lookup

Different REST methods depending on whether you are creating or updating. So what I do is see if the $lookupObjs from above has the name of the lookup. The $lookupObjs.items contains is an array of all the lookups. The id property is the name of the lookup.

If we have to update it’s a PATCH method. If we have to create it’s a POST method. The body is the same for both, but I wasn’t sure initially so added it to both use cases. Also, “fileInfo” is case-sensitive. I used “fileinfo” initially and it kept giving an error (didn’t capture it so I don’t have the error, but it was misleading in that it said the file doesn’t exist).

It’s important to capture the response, because we use it in the next step.

Commiting the change

Now we need to commit the above change.

Deploying the commit

And finally, we deploy the commit.

And that’s it, we are done!