Cribl - Docs

Getting started with Cribl LogStream

Questions? We'd love to help you! Meet us in #cribl (sign up)
Download manual as PDF - v1.7


Before Deploying

Deployment Options

There are two deployment options for Cribl; standalone or as a Splunk app. Your exact choice will depend on your requirements. Both packages are available for download here.

Requirements and Supported Platforms

  • OS:
    • Linux: RedHat, CentOS, Ubuntu, AWS Linux, Suse (64bit)
    • macOS 10.13 and 10.14
  • System:

Recommended AWS Instance Types
c5d.2xl or higher (8vCPUs, 16GB RAM, 200GiB NVMe SSD)
c5.2xl or higher (8vCPUs, 16GB RAM, EBS)
c3.2xl or higher (8vCPUs, 15GB RAM, 2x160GiB SSD)

(the higher the CPU clock, the better)

As of v1.7 Node is no longer a runtime dependency.

Network Ports

*Cribl needs these ports to be available by default:

  • Cribl UI. Default: 9000 (both options)
  • Cribl HTTP In. Default: 10080 (Standalone)
  • Splunk to Cribl data port. Default: localhost:10000 (Cribl App for Splunk)
  • | criblstream Splunk search command to Cribl. Default: localhost:10420 (Cribl App for Splunk)

Overriding Default Ports

The above ports can be overridden in the following configuration files:

  • Cribl UI port (9000): Default definitions for host, port and other settings are set in $CRIBL_HOME/default/cribl/cribl.yml and can be overridden by defining alternatives in $CRIBL_HOME/local/cribl/cribl.yml.

  • Data Ports: HTTP In (10080), TCPJSON in (10420) Splunk to Cribl (10000) : Default definitions for host, port and other settings are set in $CRIBL_HOME/default/cribl/inputs.yml and can be overridden by defining alternatives in $CRIBL_HOME/local/cribl/inputs.yml.
    Note: For Splunk to Cribl the corresponding server attribute in [tcpout:cribl] defined by default in default/outputs.conf, on Splunk side, can be overridden by re-defining it in local/outputs.conf (Splunk conf file precedence applies - local overrides default).


Performance Considerations

Like most data processing applications, Cribl's expected resource utilization will be commensurate with the type of processing that is occurring. For instance, a function that adds a static ingest-time field on an event will likely perform faster than one that is applying a regex to finding and replace a string. At the time of this writing:

  • Cribl processing will use about 2 CPUs (i.e. 4 vCPUs)
  • Cribl processing happens in-memory
  • Cribl processing does not require significant disk allocation.

Security Considerations

At the time of this writing:

  • With the Cribl App for Splunk package, data flow from Splunk to Cribl is confined to localhost:10000 and/or localhost:10420
  • The control plane (UI/API) runs on port 9000 and it's authenticated either locally or against Splunk's admin role.

Before Deploying

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.