Cribl LogStream – Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up here)
Download entire manual as PDF - v2.4.5

CLI Reference

Command line interface basics

In addition to starting and stopping the Cribl LogStream server, LogStream's command line interface enables you to initiate many configuration and administrative tasks directly from your terminal.

Command Syntax

To execute CLI commands, the basic syntax is:

cd $CRIBL_HOME/bin
./cribl <command> <sub-command> <options> <arguments>

Avoiding Surprises

Immediate Execution

As indicated in the sample output below, some commands take effect immediately.

Commands that require further input will echo the sub-commands, options, and arguments they expect.

Persistent Volumes

If you start LogStream with the CRIBL_VOLUME_DIR variable, all subsequent CLI commands should have this variable defined. Otherwise, those commands will apply LogStream's default directories, yielding misleading results.

You can set CRIBL_VOLUME_DIR as an environment variable, or you can explicitly include it in each command, as in this example:

CRIBL_VOLUME_DIR=<writable-path-name> /opt/cribl/bin/cribl status

Note that $CRIBL_VOLUME_DIR, when set, overrides $CRIBL_HOME.

Commands Available

To see a list of available commands, enter ./cribl alone (or the equivalent ./cribl help). To execute a command, or to see its required parameters, enter ./cribl <command>.

help

Displays help (commands list).

Cribl LogStream – N.n.n-<build no.>
Usage: [sub-command] [options] [args]

Commands:
help            – Display help
mode-master     – Configure to a master instance
mode-single     – Configure to a single instance
mode-worker     – Configure to a worker instance
reload          – Reload Cribl LogStream
restart         – Restart Cribl LogStream
start           – Start Cribl LogStream
status          – Status of Cribl LogStream
stop            – Stop Cribl LogStream
version         – Print Cribl LogStream version and installation type

auth            – Cribl LogStream Auth
boot-start      – Enable/Disable Cribl LogStream boot-start
diag            – Manage diagnostics bundles
groups          – Manage Worker Groups
keys            – Manage encryption keys
mode-searchhead – Configure Cribl LogStream to run on a Splunk Search Head
nc              – Listen on a port for traffic and output stats and data
node            – Execute a JavaScript file
pipe            – Feed stdin to a pipeline
splunk-decrypt  – Splunk decrypt search command
task            – Run Cribl LogStream task
vars            – Manage global variables

mode-master

Configures Cribl LogStream as a Master instance.

Options

[-H <host>]             - Host (defaults to 0.0.0.0).
[-p <port>]             - Port (defaults to 4200).
[-n <certName>]         – Name of saved certificate.
[-k <privKeyPath>]      – Server path containing the private key (in PEM format) to use. Can reference $ENV_VARS.
[-c <certPath>]         – Server path containing certificates (in PEM format) to use. Can reference $ENV_VARS.
[-u <authToken>]        - Optional authentication token to include as part of the connection header.
[-i <ipWhitelistRegex>] – Regex matching IP addresses that are allowed to establish a connection.

Sample Response

Settings updated.
You will need to restart LogStream before your changes take full effect.

mode-single

Configures Cribl LogStream as a single-instance deployment.

Sample Response

Settings updated.
You will need to restart LogStream before your changes take full effect.

mode-worker

Configures Cribl LogStream as a Worker instance.

Usage

./cribl mode-worker -H <host> -p <port>

The -H <host> -p <port> parameters are required.

Options

-H <host>          – Master Node's Hostname or IP address.
-p <port>          – Master Node's cluster communications port (defaults to 4200).
[-n <certName>]    – Name of saved certificate.
[-k <privKeyPath>] – Server path containing the private key (in PEM format) to use. Can reference $ENV_VARS.
[-c <certPath>]    – Server path containing certificates (in PEM format) to use. Can reference $ENV_VARS.
[-u <authToken>]   – Authentication token to include as part of the connection header. By default, this token is included and is set to 'criblmaster'.
[-e <envRegex>]    – Regex that selects environment variables to report to Master.
[-t <tags>]        – Tag values to report to master.
[-g <group>]       – Worker Group to report to master.

Sample Response

Settings updated.
You will need to restart LogStream before your changes take full effect.

reload

Reloads Cribl LogStream. Executes immediately.

Reload request submitted to Cribl LogStream

restart

Restarts Cribl LogStream. Executes immediately.

🚧

Executing this command cancels any running collection jobs.

Stopping Cribl LogStream, process 56572
............
Cribl LogStream is not running
Starting Cribl LogStream...
..
Cribl LogStream started with pid 57233
API Server is available at http://192.168.0.100:9000

start

Starts Cribl LogStream. Executes immediately. Upon first run, echoes LogStream's default login credentials.

Starting Cribl LogStream...
..
Cribl LogStream started with pid 57279
API Server is available at http://192.168.0.100:9000

status

Displays status of Cribl LogStream, including the API Server address, instance's mode (Master or Worker), process ID, and GUID (fictitious example below). Executes immediately.

Cribl LogStream Status

Address: http://192.168.0.100:9000
Mode: worker
Status: Up
Software Version: 42.0-7f4c190a
Master: localhost:4200
PID: 3859
GUID: 76-ea411263a64b9-e419daee4-ef-dd2e2f

stop

Stops Cribl LogStream. Executes immediately.

🚧

Executing this command cancels any running collection jobs.

Stopping Cribl LogStream, process 57233
...........
Cribl LogStream is not running

version

Displays Cribl LogStream version and installation type. Executes immediately.

Version: 2.2-0####x##
Installation type: standalone

👍

The version command echoes standalone for both single-instance and distributed deployments. This simply confirms that you're running a freestanding Cribl LogStream server, not the Cribl App for Splunk.

auth

Log into or out of Cribl LogStream.

Commands:
login  - Log in to Cribl LogStream, args:
  [-h <host>]     - Host URL (e.g. http://localhost:9000)
  [-u <username>] - Username
  [-p <password>] - Password
  [-f <file>]     - File with credentials
logout - Log out from Cribl LogStream

Login Examples

Launch interactive login:

$CRIBL_HOME/bin/cribl auth login

Append credentials as command arguments:

$CRIBL_HOME/bin/cribl auth login -h <url> -u <username> -p <password>

📘

All -h and host arguments are optional, provided that the API host and port are listed in the cribl.yml file's api: section

Provide credentials in environment variables:

CRIBL_HOST=<url> CRIBL_USERNAME=<username> CRIBL_PASSWORD=<password> $CRIBL_HOME/bin/cribl auth login

Provide credentials in a file:

$CRIBL_HOME/bin/cribl auth login -f <path/to/file>

--

Corresponding file contents:

host=<url>
username=<username>
password=<password>

boot-start

Enables or disables Cribl LogStream boot-start.

Usage: [sub-command] [options] [args]

Commands:
disable - Disable Cribl LogStream boot-start, args:
  [-m <manager>]   - Init manager (systemd|initd)
  [-c <configDir>] - Config directory for the init manager
enable  - Enable Cribl LogStream boot-start, args:
  [-m <manager>]   - Init manager (systemd|initd)
  [-u <user>]      - User to run Cribl LogStream as
  [-c <configDir>] - Config directory for the init manager

diag

Manages diagnostic bundles.

create - Creates diagnostic bundle for Cribl LogStream

list   - List existing Cribl LogStream diagnostic bundles

send   - Send LogStream diagnostics bundle to Cribl Support, args:
   -c <caseNumber> - Cribl Support Case Number
  [-p <path>]      - Diagnostic bundle path (if empty then new bundle will be created)

groups

Manages Worker Groups.

Usage: [sub-command] [options] [args]

Commands:
commit        - Commit, args:
  [-g <group>]   - Group ID
  [-m <message>] - Commit message
commit-deploy - Commit & Deploy, args:
   -g <group>    - Group ID
  [-m <message>] - Commit message
deploy        - Deploy, args:
   -g <group>    - Group ID
  [-v <version>] - Deploy version
list          - List Worker Groups

keys

Manages encryption keys. You must append the -g <group> argument to specify a Worker Group. As a fallback, append the argument -g default, e.g.:
./cribl keys list -g default

Usage: [sub-command] [options] [args]

Commands:
add  - Add encryption keys, args:
   -g <group>  - Group ID
  [-c <keyclass>] - key class to set for the key
  [-k <kms>]      - KMS to use, must be configured, see cribl.yml
  [-e <expires>]  - expiration time, epoch time
  [-i ]           - use an initialization vector
list - List encryption keys
   -g <group> - Group ID

mode-searchhead

Configures Cribl LogStream to run on a Splunk Search Head.

nc

Listens on a port for traffic, and outputs stats and data. (Netcat-like utility.)

Usage: [options] [args]

Options:
 -p <port>           - Port to listen on
[-s <statsInterval>] - Stats output interval (ms), use 0 to disable
[-u]                 - Listen on UDP port instead
[-o]                 - Output received data to stdout
[-t <rate> <units>]  - Throttle rate, in <units>/second, where <units> can be KB, MB, GB, or TB

node

Executes a JavaScript file. Displays a command prompt for path/filename input, as shown here:

> 

pipe

Feeds stdin to a pipeline. Examples:

cat sample.log |  ./cribl pipe -p <pipelineName> 
cat sample.log |  ./cribl pipe -p <pipelineName> 2>/dev/null

scope

Greps your apps by the syscalls. Executes immediately.

splunk-decrypt

Splunk decrypt search command. Executes immediately.

task

Runs a Cribl LogStream task. Requires definitions for the dir, executor, and path properties.

vars

Manages LogStream Global Variables.

Usage: [sub-command] [options] [args]

Commands:
add    - Add global variable, args:
   -i <id>           - Global variable ID
   -t <type>         - Type
   -v <value>        - Value
  [-a <args>]        - Arguments
  [-d <description>] - Description
  [-c <tags>]        - Custom Tags (comma separated list)
  [-g <group>]       - Group ID
get    - List encryption keys, args:
  [-i <id>]    - Global variable ID
  [-g <group>] - Group ID
remove - Remove global variable, args:
   -i <id>     - Global variable ID
  [-g <group>] - Group ID
update - Update global variable, args:
   -i <id>           - Global variable ID
   -t <type>         - Type
   -v <value>        - Value
  [-a <args>]        - Arguments
  [-d <description>] - Description
  [-c <tags>]        - Custom Tags (comma separated list)
  [-g <group>]       - Group ID

Updated about a month ago

CLI Reference


Command line interface basics

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.