Cribl LogStream – Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up here)
Download entire manual as PDF – v.3.1.1

Config Files

Understanding Configuration Paths and Files

Even though all LogStream Routes, Pipelines, and Functions can be managed from the UI, it's important to understand how the configuration works under the hood. Here is how configuration paths and files are laid out on the filesystem.

Path Placeholder

Expanded Path

$CRIBL_HOME

Standalone Install:
/path/to/install/cribl/ – referred to
below as $CRIBL_HOME

Cribl App for Splunk Install:
$SPLUNK_HOME/etc/apps/cribl/

All paths below are relative to $CRIBL_HOME in a single-instance deployment, or to $CRIBL_HOME/groups/<group‑name>/ in a distributed deployment.

Category

Relative Path

Default Configurations
Out-of-the-box defaults (rewritable) and libraries (expandable)

default/cribl

Local Configurations
User-created integrations and resources

local/cribl

System Configuration

(default|local)/cribl/cribl.yml
See cribl.yml

API Configuration

(default|local)/cribl/cribl.yml > [api] section
See cribl.yml

Source Configuration

(default|local)/cribl/inputs.yml
See inputs.yml

Destination Configuration

(default|local)/cribl/outputs.yml
See outputs.yml

License Configuration

(default|local)/cribl/licenses.yml

Regexes Configuration

(default|local)/cribl/regexes.yml

Breakers Configuration

(default|local)/cribl/breakers.yml

Limits Configuration

(default|local)/cribl/limits.yml

Pipelines Configuration

(default|local)/cribl/pipelines/<pname>
Each Pipeline's conf is contained therein.

Routes Configuration

(default|local)/cribl/pipelines/routes.yml

Functions

(default|local)/cribl/functions/<function_name>
Each function's code, conf is contained therein.

Functions Configuration

(default|local)/cribl/functions/<function_name>/...
Each function's conf is contained therein.

Roles Configuration

(default|local)/cribl/roles.yml
RBAC Role definitions. See roles.yml.

Policies Configuration

(default|local)/cribl/policies.yml
RBAC Policy definitions. See policies.yml.

Configurations and Restart

  • Configuration changes resulting from most UI interactions – for instance, changing the order of Functions in a Pipeline, or changing the order of Routes – do not require restarts.
  • Some configuration changes in the Settings UI do require restarts. You will be prompted to confirm before restarting.
  • All direct edits to configuration files in (bin|local|default)/cribl/... will require restarts.
  • Worker Nodes might temporarily disappear from the Leader's Workers tab while restarting.
  • When using the Cribl App for Splunk, changes to Splunk configuration files might or might not require restarts. Please check current Splunk docs.

Configuration Layering and Precedence

Similar to most *nix systems, Cribl configurations in local take precedence over those in default. There is no layering of configuration files.

🚧

Editing Configuration Files Manually

When config files must be edited manually, save all changes in local.

Updated 2 months ago

Config Files

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.