These docs are for Cribl Api 4.8 and are no longer actively maintained.
See the latest version (4.13).
Copy, Export, and Install Packs
You can use the Cribl API to automate Pack operations, such as in a CI/CD pipeline, like copying Packs between Worker Groups or Fleets and exporting and installing Packs from one Worker Group or Fleet to another.
About the Example Requests
Replace the variables in the example requests with the corresponding information for your Cribl deployment. In the cURL command options, replace
${token}
with a valid API Bearer token. You can also set the$token
environment variable to match the value of a Bearer token.For customer-managed deployments, to use
https
in the URL for your requests as shown in these examples, you must configure Transport Layer Security (TLS).In Cribl.Cloud and other distributed deployments, you must commit and deploy the changes you make. You can use the Cribl API to automate commit and deploy commands.
Copy Packs
The Cribl API includes a /packs/__clone__
endpoint for copying Packs from a Worker Group to one or more other Worker Groups. The following example demonstrates how to copy two Packs from the default
Worker Group to the newHerd
and goatMob
Worker Groups.
Provide the following values in the request body:
srcGroup
: ID of the Worker Group that contains the Packs you want to copydstGroups
: Array of IDs of the target Worker Groups where you want to install the copied Packspacks
: Array of IDs of the Packs you want to copy
curl --request POST \
--url 'https://${workspaceName}-${organizationId}.cribl.cloud/api/v1/packs/__clone__' \
--header 'Authorization: Bearer ${token}' \
--header 'Content-Type: application/json' \
--data '{
"srcGroup": "default",
"dstGroups": [
"newHerd",
"goatMob"
],
"packs": [
"cribl-palo-alto-networks",
"cribl-cisco-asa-cleanup"
]
}'
curl --request POST \
--url 'https://${hostname}:${port}/api/v1/packs/__clone__' \
--header 'Authorization: Bearer ${token}' \
--header 'Content-Type: application/json' \
--data '{
"source": "goatherd.a12b3Cd.crbl",
"id": "billyPack"
}'
The response is a JSON object that confirms the target Worker Groups where the copied Packs are installed, similar to this example:
{
"installed": [
{
"group": "newHerd"
},
{
"group": "goatMob"
}
]
}
If you copy Packs to only one Worker Group, the response includes details about the installed packs instead of the Worker Group, similar to this example:
{
"installed": [
{
"id": "cribl-palo-alto-networks",
"source": "file:/opt/cribl/state/packs/cribl-palo-alto-networks.ABC12d3.tmp.crbl",
"version": "1.1.2",
"group": "defaultHybrid",
"warnings": []
},
{
"id": "cribl-cisco-asa-cleanup",
"source": "file:/opt/cribl/state/packs/cribl-cisco-asa-cleanup.eF4G567.tmp.crbl",
"version": "1.1.15",
"warnings": []
}
]
}
Export and Install a Pack
The following example demonstrates how to export a Pack from one Worker Group or Fleet and upload and install the Pack in another. The two Worker Groups or Fleets do not need to have the same Leader Node.
1. Export the Pack
The request URL should use the name of the Worker Group or Fleet from which you are exporting (in this example, originalHerd
). Include the mode
query parameter in the request URL to specify the export mode you want to use.
The request returns an octet-stream attachment that downloads as a .crbl
file. This example uses the >
redirect to write the exported Pack to a specific file (in this case, goatherd.crbl
). If you do not include a redirect to specify a file name, Cribl downloads the Pack to a file that is named after the Pack ID in the format ${packName}.crbl
.
curl --request GET \
--url 'https://${workspaceName}-${organizationId}.cribl.cloud/api/v1/m/originalHerd/packs/${packName}/export?mode=${exportMode}' > goatherd.crbl \
--header 'Authorization: Bearer ${token}' \
--header 'Content-Type: application/json'
curl --request GET \
--url 'https://${hostname}:${port}/api/v1/m/originalHerd/packs/${packName}/export?mode=${exportMode}' > goatherd.crbl \
--header 'Authorization: Bearer ${token}' \
--header 'Content-Type: application/json'
2. Upload the Exported Pack to the Target Worker Group or Fleet
In the request URL, make sure to use the name of the target Worker Group or Fleet (in this example, newHerd
). Include the filename
query parameter in the request URL to specify the file name of the exported Pack.
Note the values for the custom headers Accept-Encoding
, Connection
, and Content-Type
.
curl --request PUT \
--url 'https://${workspaceName}-${organizationId}.cribl.cloud/api/v1/m/newHerd/packs?filename=goatherd.crbl' \
--header 'Authorization: Bearer ${token}' \
--header 'Accept-Encoding: gzip, deflate, br, zst' \
--header 'Connection: keep-alive' \
--header 'Content-Type: application/octet-stream' \
--data-binary '@goatherd.crbl'
curl --request PUT \
--url 'https://${hostname}:${port}/api/v1/m/newHerd/packs/packs?filename=goatherd.crbl' \
--header 'Authorization: Bearer ${token}' \
--header 'Accept-Encoding: gzip, deflate, br, zst' \
--header 'Connection: keep-alive' \
--header 'Content-Type: application/octet-stream' \
--data-binary '@goatherd.crbl'
The response is a JSON object that includes the Pack name, a random ID, and the crbl
file extension, similar to this example:
{"source":"goatherd.a12b3Cd.crbl"}
3. Install the Uploaded Pack in the Target Worker Group or Fleet
The request body must include the JSON object from the response to the upload request in the previous step. If you want to rename the Pack in the target Worker Group or Fleet, add the id
parameter in the request body as shown in this example.
curl --request POST \
--url 'https://${workspaceName}-${organizationId}.cribl.cloud/api/v1/m/newHerd/packs' \
--header 'Authorization: Bearer ${token}' \
--header 'Content-Type: application/json' \
--data '{
"source": "goatherd.a12b3Cd.crbl",
"id": "billyPack"
}'
curl --request POST \
--url 'https://${hostname}:${port}/api/v1/m/newHerd/packs/packs' \
--header 'Authorization: Bearer ${token}' \
--header 'Content-Type: application/json' \
--data '{
"source": "goatherd.a12b3Cd.crbl",
"id": "billyPack"
}'
The response is a JSON object that provides information about the installed Pack, similar to this example:
{
"items": [
{
"id": "billyPack",
"source": "file:/opt/cribl/state/packs/goatherd.a12b3Cd.crbl",
"version": "0.0.1",
"warnings": []
}
],
"count": 1
}