Crib LogStream - Docs

Getting started with Cribl LogStream

Questions? We'd love to help you! Meet us in #cribl (sign up)
Download manual as PDF - v2.1

    Docs Home

Config Files

Understanding Configuration Paths and Files

Even though all the Routes, Pipelines and Functions can be managed from the UI, it's important to understand how the configuration works under the hood. At the time of this writing this is how configuration paths and files are laid on the filesystem.

$CRIBL_HOME

Standalone Install:
/path/to/install/cribl/

Splunk App Install:
$SPLUNK_HOME/etc/apps/cribl/

All paths below relative to $CRIBL_HOME

Default Configurations

default/cribl

Local Configurations

local/cribl

System Configuration

(default|local)/cribl/cribl.yml
See cribl.yml

API Configuration

(default|local)/cribl/api.yml

Source Configuration

(default|local)/cribl/inputs.yml
See inputs.yml

Destination Configuration

(default|local)/cribl/outputs.yml
See outputs.yml

License Configuration

(default|local)/cribl/licenses.yml

Regexes Configuration

(default|local)/cribl/regexes.yml

Breakers Configuration

(default|local)/cribl/breakers.yml

Limits Configuration

(default|local)/cribl/limits.yml

Pipelines Configuration

(default|local)/cribl/pipelines/<pname>
Each pipeline's conf is contained therein

Routes Configuration

(default|local)/cribl/pipelines/routes.yml

Functions

(default|local)/cribl/functions/<function_name>
Each function's code, conf is contained therein

Functions Conf

(default|local)/cribl/functions/<function_name>/...
Each function's conf contained therein.

Configurations and Restart

  • Any configuration changes resulting from UI interactions, for instance, changing the order of functions in a pipeline, or changing the order of routes, do not require restarts.
  • All Cribl LogStream configuration file changes resulting from direct file manipulations in
    (bin|local|default)/cribl/... will require restarts.
  • In the case of a Cribl App for Splunk, Splunk configurations file changes may or may not require restarts. Please check with recent Splunk docs.

Configuration Layering and Precedence

Similar to most *nix systems, Cribl configurations in local take precedence over those in default. There is no layering of configuration files.

Editing Configuration Files Manually

When config files must be edited manually, all changes should be done in local.

Updated about a month ago

Config Files

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.