Cribl - Docs

Getting started with Cribl LogStream

Questions? We'd love to help you! Meet us in #cribl (sign up)

Changelog    Guides

Before Deploying

Deployment Options


There are two deployment options for Cribl; standalone or as a Splunk App. Your exact choice will depend on your requirements.

Before the Install

  • Choose an instance where to install.
  • Download Cribl. If you're planning to deploy Cribl with Splunk make sure you get the Splunk app package.
  • On the installation instance, Cribl needs these ports to be available:
    • Cribl UI. Default: 9000 (both options)
    • Cribl HTTP In. Default: 10080 (Standalone)
    • Splunk-to-Cribl data port. Default: localhost:10000 (Splunk App)

Overriding Default Ports

If the above ports are not available, they can be overridden in the following configuration files:

  • Cribl UI port (9000):

    • default definitions for host, port and other settings in $CRIBL_HOME/default/cribl/cribl.yml can be overridden by defining alternatives in $CRIBL_HOME/local/cribl/cribl.yml
  • Cribl HTTP In port (10080):

    • default definitions for host, port and other settings in $CRIBL_HOME/default/cribl/inputs.yml can be overridden by defining alternatives in $CRIBL_HOME/local/cribl/inputs.yml
  • Splunk-to-Cribl data port (10000):

    • default definition in default/cribl/inputs.yml can be overridden by defining an alternative in local/cribl/inputs.yml AND
    • the corresponding server attribute in [tcpout:cribl] defined by default default/outputs.conf can be overridden by re-defining it in local/outputs.conf (Splunk conf file precedence applies - local overrides default)
[tcpout:cribl]
server=127.0.0.1:<myPort>

Performance Considerations


Like most data processing applications, Cribl's expected resource utilization will be commensurate with the type of processing that is occurring. For instance, a function that adds a static ingest-time field on an event will likely perform faster than one that is applying a regex to finding and replace a string. At the time of this writing:

  • Cribl processing will use at most 2 CPUs (typical utilization will be ~1CPU)
  • Cribl processing happens in-memory (at most 1GB RAM will be used, typical utilization will be much less)
  • Cribl processing does not require significant disk allocation.

Security Considerations


At the time of this writing:

  • Data flow from Splunk to Cribl is confined to localhost:10000
  • The control plane (UI/API) runs on port 9000 and it's authenticated either locally or against Splunk's admin role.

Before Deploying


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.