Cribl LogStream – Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up here)
Download entire manual as PDF – v.3.0.1

Config Files

Understanding Configuration Paths and Files

Even though all LogStream Routes, Pipelines, and Functions can be managed from the UI, it's important to understand how the configuration works under the hood. Here is how configuration paths and files are laid on the filesystem.


Standalone Install:

Cribl App for Splunk Install:

All paths below are relative to $CRIBL_HOME.

Default Configurations


Local Configurations


System Configuration

See cribl.yml

API Configuration


Source Configuration

See inputs.yml

Destination Configuration

See outputs.yml

License Configuration


Regexes Configuration


Breakers Configuration


Limits Configuration


Pipelines Configuration

Each pipeline's conf is contained therein

Routes Configuration



Each function's code, conf is contained therein

Functions Conf

Each function's conf contained therein.

Configurations and Restart

  • Any configuration changes resulting from UI interactions, for instance, changing the order of functions in a pipeline, or changing the order of routes, do not require restarts.
  • All Cribl LogStream configuration file changes resulting from direct file manipulations in
    (bin|local|default)/cribl/... will require restarts.
  • Worker Nodes might temporarily disappear from the Leader's Workers tab while restarting.
  • In the case of a Cribl App for Splunk, Splunk configurations file changes might or might not require restarts. Please check with recent Splunk docs.

Configuration Layering and Precedence

Similar to most *nix systems, Cribl configurations in local take precedence over those in default. There is no layering of configuration files.


Editing Configuration Files Manually

When config files must be edited manually, save all changes in local.

Updated about a month ago

Config Files

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.