Copy, Export, and Install Packs
You can use the Cribl API to automate Pack operations, such as in a CI/CD pipeline, like copying Packs between Worker Groups or Fleets and exporting and installing Packs from one Worker Group or Fleet to another.
About Code Examples
Code examples use Bearer token authentication. Read the API authentication documentation to learn how to configure authentication. The API Credential (Cribl.Cloud and hybrid) or login credentials (on-prem) that you use to obtain the Bearer token must have the necessary Permissions for the operations in code examples.
Replace the variables in code examples with the corresponding information for your Cribl deployment.
For on-prem deployments, to use
httpsin request URLs, you must configure Transport Layer Security (TLS).Code examples do not include all available body parameters. For a complete list of body parameters for specific endpoints, refer to the documentation in the API Reference.
In Cribl.Cloud and other distributed deployments, you must commit and deploy the changes you make.
Copy Packs
The Cribl API includes a /packs/__clone__ endpoint for copying Packs from a Worker Group to one or more other Worker Groups. The following example demonstrates how to copy two Packs from the default Worker Group to the newHerd and goatMob Worker Groups.
Provide the following values in the request body:
srcGroup: ID of the Worker Group that contains the Packs you want to copy.dstGroups: Array of IDs of the target Worker Groups where you want to install the copied Packs.packs: Array of IDs of the Packs you want to copy.
curl --request POST \
--url "https://${workspaceName}-${organizationId}.cribl.cloud/api/v1/packs/__clone__" \
--header "Authorization: Bearer ${token}" \
--header "Content-Type: application/json" \
--data '{
"srcGroup": "default",
"dstGroups": [
"newHerd",
"goatMob"
],
"packs": [
"cribl-palo-alto-networks",
"cribl-cisco-asa-cleanup"
]
}'curl --request POST \
--url "https://${hostname}:${port}/api/v1/packs/__clone__" \
--header "Authorization: Bearer ${token}" \
--header "Content-Type: application/json" \
--data '{
"source": "goatherd.a12b3Cd.crbl",
"id": "billyPack"
}'The response is a JSON object that confirms the target Worker Groups where the copied Packs are installed, similar to this example:
{
"installed": [
{
"group": "newHerd"
},
{
"group": "goatMob"
}
]
}If you copy Packs to only one Worker Group, the response includes details about the installed packs instead of the Worker Group, similar to this example:
{
"installed": [
{
"id": "cribl-palo-alto-networks",
"source": "file:/opt/cribl/state/packs/cribl-palo-alto-networks.ABC12d3.tmp.crbl",
"version": "1.1.2",
"group": "defaultHybrid",
"warnings": []
},
{
"id": "cribl-cisco-asa-cleanup",
"source": "file:/opt/cribl/state/packs/cribl-cisco-asa-cleanup.eF4G567.tmp.crbl",
"version": "1.1.15",
"warnings": []
}
]
}Export and Install a Pack
The following example demonstrates how to export a Pack from one Worker Group or Fleet and upload and install the Pack in another. The two Worker Groups or Fleets do not need to have the same Leader Node.
1. Export the Pack
The request URL should use the name of the Worker Group or Fleet from which you are exporting (in this example, originalHerd). Include the mode query parameter in the request URL to specify the export mode you want to use.
The request returns an octet-stream attachment that downloads as a .crbl file. This example uses the > redirect to write the exported Pack to a specific file (in this case, goatherd.crbl). If you do not include a redirect to specify a file name, Cribl downloads the Pack to a file that is named after the Pack ID in the format ${packName}.crbl.
curl --request GET \
--url "https://${workspaceName}-${organizationId}.cribl.cloud/api/v1/m/originalHerd/packs/${packName}/export?mode=${exportMode}' > goatherd.crbl \
--header "Authorization: Bearer ${token}" \
--header "Content-Type: application/json"curl --request GET \
--url "https://${hostname}:${port}/api/v1/m/originalHerd/packs/${packName}/export?mode=${exportMode}' > goatherd.crbl \
--header "Authorization: Bearer ${token}" \
--header "Content-Type: application/json"2. Upload the Exported Pack to the Target Worker Group or Fleet
In the request URL, make sure to use the name of the target Worker Group or Fleet (in this example, newHerd). Include the filename query parameter in the request URL to specify the file name of the exported Pack.
Note the values for the custom headers Accept-Encoding, Connection, and Content-Type.
curl --request PUT \
--url "https://${workspaceName}-${organizationId}.cribl.cloud/api/v1/m/newHerd/packs?filename=goatherd.crbl" \
--header "Authorization: Bearer ${token}" \
--header "Accept-Encoding: gzip, deflate, br, zst" \
--header "Connection: keep-alive" \
--header "Content-Type: application/octet-stream" \
--data-binary '@goatherd.crbl'curl --request PUT \
--url "https://${hostname}:${port}/api/v1/m/newHerd/packs?filename=goatherd.crbl" \
--header "Authorization: Bearer ${token}" \
--header "Accept-Encoding: gzip, deflate, br, zst" \
--header "Connection: keep-alive" \
--header "Content-Type: application/octet-stream" \
--data-binary '@goatherd.crbl'The response is a JSON object that includes the Pack name, a random ID, and the crbl file extension, similar to this example:
{"source":"goatherd.a12b3Cd.crbl"}3. Install the Uploaded Pack in the Target Worker Group or Fleet
The request body must include the JSON object from the response to the upload request in the previous step. If you want to rename the Pack in the target Worker Group or Fleet, add the id parameter in the request body as shown in this example.
curl --request POST \
--url "https://${workspaceName}-${organizationId}.cribl.cloud/api/v1/m/newHerd/packs" \
--header "Authorization: Bearer ${token}" \
--header "Content-Type: application/json" \
--data '{
"source": "goatherd.a12b3Cd.crbl",
"id": "billyPack"
}'curl --request POST \
--url "https://${hostname}:${port}/api/v1/m/newHerd/packs" \
--header "Authorization: Bearer ${token}" \
--header "Content-Type: application/json" \
--data '{
"source": "goatherd.a12b3Cd.crbl",
"id": "billyPack"
}'The response is a JSON object that provides information about the installed Pack, similar to this example:
{
"items": [
{
"id": "billyPack",
"source": "file:/opt/cribl/state/packs/goatherd.a12b3Cd.crbl",
"version": "0.0.1",
"warnings": []
}
],
"count": 1
}