In addition to starting and stopping the Cribl LogStream server, LogStream's command line interface enables you to initiate many configuration and administrative tasks directly from your terminal.
Command Syntax
To execute CLI commands, the basic syntax is:
cd $CRIBL_HOME/bin
./cribl <command> <sub-command> <options> <arguments>
Avoiding Surprises
Immediate Execution
As indicated in the sample output below, some commands take effect immediately.
Commands that require further input will echo the sub-commands, options, and arguments they expect.
Persistent Volumes
If you start LogStream with the CRIBL_VOLUME_DIR
variable, all subsequent CLI commands should have this variable defined. Otherwise, those commands will apply LogStream's default directories, yielding misleading results.
You can set CRIBL_VOLUME_DIR
as an environment variable, or you can explicitly include it in each command, as in this example:
CRIBL_VOLUME_DIR /opt/cribl/bin/cribl status
.
Commands Available
To see a list of available commands, enter ./cribl
alone (or the equivalent ./cribl help
). To execute a command, or to see its required parameters, enter ./cribl <command>
.
help
help
Displays help (commands list).
Cribl LogStream – N.n.n-<build no.>
Usage: [sub-command] [options] [args]
Commands:
help – Display help
mode-master – Configure to a master instance
mode-single – Configure to a single instance
mode-worker – Configure to a worker instance
reload – Reload Cribl LogStream
restart – Restart Cribl LogStream
start – Start Cribl LogStream
status – Status of Cribl LogStream
stop – Stop Cribl LogStream
version – Print Cribl LogStream version and installation type
auth – Cribl LogStream Auth
boot-start – Enable/Disable Cribl LogStream boot-start
diag – Manage diagnostics bundles
groups – Manage Worker Groups
keys – Manage encryption keys
mode-searchhead – Configure Cribl LogStream to run on a Splunk Search Head
nc – Listen on a port for traffic and output stats and data
node – Execute a JavaScript file
pipe – Feed stdin to a pipeline
splunk-decrypt – Splunk decrypt search command
task – Run Cribl LogStream task
vars – Manage global variables
mode-master
mode-master
Configures Cribl LogStream as a Master instance.
Options
[-H <host>] - Host (defaults to 0.0.0.0).
[-p <port>] - Port (defaults to 4200).
[-n <certName>] – Name of saved certificate.
[-k <privKeyPath>] – Server path containing the private key (in PEM format) to use. Can reference $ENV_VARS.
[-c <certPath>] – Server path containing certificates (in PEM format) to use. Can reference $ENV_VARS.
[-u <authToken>] - Optional authentication token to include as part of the connection header.
[-i <ipWhitelistRegex>] – Regex matching IP addresses that are allowed to establish a connection.
Sample Response
Settings updated.
You will need to restart LogStream before your changes take full effect.
mode-single
mode-single
Configures Cribl LogStream as a single-instance deployment.
Sample Response
Settings updated.
You will need to restart LogStream before your changes take full effect.
mode-worker
mode-worker
Configures Cribl LogStream as a Worker instance.
Usage
./cribl mode-worker -H <host> -p <port>
The -H <host> -p <port>
parameters are required.
Options
-H <host> – Master Node's Hostname or IP address.
-p <port> – Master Node's cluster communications port (defaults to 4200).
[-n <certName>] – Name of saved certificate.
[-k <privKeyPath>] – Server path containing the private key (in PEM format) to use. Can reference $ENV_VARS.
[-c <certPath>] – Server path containing certificates (in PEM format) to use. Can reference $ENV_VARS.
[-u <authToken>] – Authentication token to include as part of the connection header. By default, this token is included and is set to 'criblmaster'.
[-e <envRegex>] – Regex that selects environment variables to report to Master.
[-t <tags>] – Tag values to report to master.
[-g <group>] – Worker Group to report to master.
Sample Response
Settings updated.
You will need to restart LogStream before your changes take full effect.
reload
reload
Reloads Cribl LogStream. Executes immediately.
Reload request submitted to Cribl LogStream
restart
restart
Restarts Cribl LogStream. Executes immediately.
Executing this command cancels any running collection jobs.
Stopping Cribl LogStream, process 56572
............
Cribl LogStream is not running
Starting Cribl LogStream...
..
Cribl LogStream started with pid 57233
API Server is available at http://192.168.0.100:9000
start
start
Starts Cribl LogStream. Executes immediately. Upon first run, echoes LogStream's default login credentials.
Starting Cribl LogStream...
..
Cribl LogStream started with pid 57279
API Server is available at http://192.168.0.100:9000
status
status
Displays status of Cribl LogStream, including the API Server address, instance's mode (Master or Worker), process ID, and GUID (fictitious example below). Executes immediately.
Cribl LogStream Status
Address: http://192.168.0.100:9000
Mode: worker
Status: Up
Software Version: 42.0-7f4c190a
Master: localhost:4200
PID: 3859
GUID: 76-ea411263a64b9-e419daee4-ef-dd2e2f
stop
stop
Stops Cribl LogStream. Executes immediately.
Executing this command cancels any running collection jobs.
Stopping Cribl LogStream, process 57233
...........
Cribl LogStream is not running
version
version
Displays Cribl LogStream version and installation type. Executes immediately.
Version: 2.2-0####x##
Installation type: standalone
The
version
command echoesstandalone
for both single-instance and distributed deployments. This simply confirms that you're running a freestanding Cribl LogStream server, not the Cribl App for Splunk.
auth
auth
Log into or out of Cribl LogStream.
Commands:
login - Log in to Cribl LogStream, args:
[-h <host>] - Host URL (e.g. http://localhost:9000)
[-u <username>] - Username
[-p <password>] - Password
[-f <file>] - File with credentials
logout - Log out from Cribl LogStream
Login Examples
Launch interactive login:
$CRIBL_HOME/bin/cribl auth login
Append credentials as command arguments:
$CRIBL_HOME/bin/cribl auth login -h <url> -u <username> -p <password>
All
-h
andhost
arguments are optional, provided that the API host and port are listed in thecribl.yml
file'sapi:
section
Provide credentials in environment variables:
CRIBL_HOST=<url> CRIBL_USERNAME=<username> CRIBL_PASSWORD=<password> $CRIBL_HOME/bin/cribl auth login
Provide credentials in a file:
$CRIBL_HOME/bin/cribl auth login -f <path/to/file>
--
Corresponding file contents:
host=<url>
username=<username>
password=<password>
boot-start
boot-start
Enables or disables Cribl LogStream boot-start.
Usage: [sub-command] [options] [args]
Commands:
disable - Disable Cribl LogStream boot-start, args:
[-m <manager>] - Init manager (systemd|initd)
[-c <configDir>] - Config directory for the init manager
enable - Enable Cribl LogStream boot-start, args:
[-m <manager>] - Init manager (systemd|initd)
[-u <user>] - User to run Cribl LogStream as
[-c <configDir>] - Config directory for the init manager
diag
diag
Manages diagnostic bundles.
create - Creates diagnostic bundle for Cribl LogStream
list - List existing Cribl LogStream diagnostic bundles
send - Send LogStream diagnostics bundle to Cribl Support, args:
-c <caseNumber> - Cribl Support Case Number
[-p <path>] - Diagnostic bundle path (if empty then new bundle will be created)
groups
groups
Manages Worker Groups.
Usage: [sub-command] [options] [args]
Commands:
commit - Commit, args:
[-g <group>] - Group ID
[-m <message>] - Commit message
commit-deploy - Commit & Deploy, args:
-g <group> - Group ID
[-m <message>] - Commit message
deploy - Deploy, args:
-g <group> - Group ID
[-v <version>] - Deploy version
list - List Worker Groups
keys
keys
Manages encryption keys. You must append the -g <group>
argument to specify a Worker Group. As a fallback, append the argument -g default
, e.g.:
./cribl keys list -g default
Usage: [sub-command] [options] [args]
Commands:
add - Add encryption keys, args:
-g <group> - Group ID
[-c <keyclass>] - key class to set for the key
[-k <kms>] - KMS to use, must be configured, see cribl.yml
[-e <expires>] - expiration time, epoch time
[-i ] - use an initialization vector
list - List encryption keys
-g <group> - Group ID
mode-searchhead
mode-searchhead
Configures Cribl LogStream to run on a Splunk Search Head.
nc
nc
Listens on a port for traffic, and outputs stats and data. (Netcat-like utility.)
Usage: [options] [args]
Options:
-p <port> - Port to listen on
[-s <statsInterval>] - Stats output interval (ms), use 0 to disable
[-u] - Listen on UDP port instead
[-o] - Output received data to stdout
[-t <rate> <units>] - Throttle rate, in <units>/second, where <units> can be KB, MB, GB, or TB
node
node
Executes a JavaScript file. Displays a command prompt for path/filename input, as shown here:
>
pipe
pipe
Feeds stdin to a pipeline. Examples:
cat sample.log | ./cribl pipe -p <pipelineName>
cat sample.log | ./cribl pipe -p <pipelineName> 2>/dev/null
scope
scope
Greps your apps by the syscalls. Executes immediately.
splunk-decrypt
splunk-decrypt
Splunk decrypt search command. Executes immediately.
task
task
Runs a Cribl LogStream task. Requires definitions for the dir
, executor
, and path
properties.
vars
vars
Manages LogStream Global Variables.
Usage: [sub-command] [options] [args]
Commands:
add - Add global variable, args:
-i <id> - Global variable ID
-t <type> - Type
-v <value> - Value
[-a <args>] - Arguments
[-d <description>] - Description
[-c <tags>] - Custom Tags (comma separated list)
[-g <group>] - Group ID
get - List encryption keys, args:
[-i <id>] - Global variable ID
[-g <group>] - Group ID
remove - Remove global variable, args:
-i <id> - Global variable ID
[-g <group>] - Group ID
update - Update global variable, args:
-i <id> - Global variable ID
-t <type> - Type
-v <value> - Value
[-a <args>] - Arguments
[-d <description>] - Description
[-c <tags>] - Custom Tags (comma separated list)
[-g <group>] - Group ID
Updated about a month ago