Filesystem Collector and Event Breaker Inconsistencies

It is being pulled from an NFS mount (Synology NAS) on a linux (ubuntu 20.04) vm.

Its 10,000 line sample, but when the file actually comes in its about 10-50 GB

Im still having the issue. This was my order of operations to fix/recreate issue.

Increased event breaker buffer timeout on collector source to 600000, commit, deploy.
Unsuccessful.
Delete event breaker, commit, deploy.
Recreate event breaker with settings you recommended to try, commit, deploy.
Filesystem collection has same results/symptoms.
I connected to the worker ui from the leader, and verified the breaker exists on the worker. The file preview with the breaker on the worker works.

I checked logs for the specific adhoc run and I only see 1 error.

{
"time": "2022-05-04T13:29:35.668Z",
"cid": "api",
"channel": "Job",
"level": "error",
"message": "failed to cancel task",
"jobId": "1651670972.72.adhoc.NDCA-collector",
"taskId": "collect.0",
"reason": {
"message": "Instance 1651670972.72.adhoc.NDCA-collector|collect.0 not registered",
"stack": "RpcInstanceNotFoundError: Instance 1651670972.72.adhoc.NDCA-collector|collect.0 not registered\n at /opt/cribl/bin/cribl.js:14:13169102\n at /opt/cribl/bin/cribl.js:14:11427356\n at runMicrotasks ()\n at processTicksAndRejections (internal/process/task_queues.js:95:5)\n at async k.handleRequest (/opt/cribl/bin/cribl.js:14:13168338)",
"name": "RpcInstanceNotFoundError",
"req": {
"instanceId": "1651670972.72.adhoc.NDCA-collector|collect.0",
"method": "cancel",
"args": []
}
},
"source": "/opt/cribl/state/jobs/default/1651670972.72.adhoc.NDCA-collector/logs/job/job.log"
}

Yeah, the error looked benign, but just providing info.

I edited the file down to about 20 lines, changed EOL to LF from CRLF. Same symptoms.

Filesystem collection results (events do not have correct fields/values)

I want it to exclude the # lines since those are not events. The first real events are tab separated and the field names are in that field list. I tried changing the header line to "^#[Ff]" the event breaker preview completely fails.

Heres the first few lines of the file. With my original settings, the import looks fine and field/value pairs look good. But when run with a filesystem collector, it fails. Im going to try with the header line changes that you recommended.

#separator \x09#set_separator  ,#empty_field    (empty)#unset_field    -#path   conn#open   2021-11-12-12-45-00#fields ts  uid id.orig_h   id.orig_p   id.resp_h   id.resp_p   id.vlan id.vlan_inner   proto   service duration    orig_bytes  resp_bytes  conn_state  local_orig  local_resp  missed_bytes    history orig_pkts   orig_ip_bytes   resp_pkts   resp_ip_bytes   tunnel_parents  orig_cc resp_cc suri_ids    community_id#types  time    string  addr    port    addr    port    int int enum    string  interval    count   count   string  bool    bool    count   string  count   count   count   count   set[string] string  string  set[string] string2022-05-01 00:00:00.000012  CUaMDI3N3CtEwGXbX9  128.83.27.4 46210   170.114.10.87   443 4020    \N  tcp \N  65.207075   0   6218    SHR 1   0   0   ^hdf    0   0   9   6590    \N  US  US  \N  1:1nbEONdQpmuQtjlL3SSQbc28Wyo=2022-05-01 00:00:00.000320  CAZzJv4QRVv5Yek7Oh  128.83.130.204  54935   58.247.212.36   53  4020    \N  udp dns \N  \N  \N  SHR 1   0   0   ^d  0   0   1   156 \N  US  CN  \N  1:KJjQRZuB5bkT7+ebSf4FW7RJiL8=2022-05-01 00:00:00.000432  CdRza81SzhESDDyhI9  128.83.72.175   58632   192.111.4.106   443 4020    \N  tcp ssl 376.280685  1458    6534    S1  1   0   0   ShDd    3   1590    7   6826    \N  US  US  \N  1:ZqDFOlfGk/8wlEO1gmawxhE6YBg=2022-05-01 00:00:00.001140  CAcMyE40njQ2DatMNc  128.83.28.30    59755   205.251.197.3   53  4020    \N  udp dns \N  \N  \N  S0  1   0   0   D   1   140 0   0   \N  US  US  \N  1:SeSWa3fEVB/I60glsRug0PmDPys=