Cribl - Docs

Getting started with Cribl LogStream

Questions? We'd love to help you! Meet us in #cribl (sign up)

Changelog    Guides

Configuring Splunk

There are three deployment options for Cribl in a Splunk environment and they both involve heavy forwarders or indexers. The recommended choice will depend on your requirements and architecture. However, on all cases Cribl will work with parsed data. Note in the diagram below, Cribl accepts data after it has passed through Splunk's typing pipeline.

Option A: Deploying Cribl on a Splunk Heavy Forwarder
Option B: Deploying Cribl on a Splunk Indexer Listening for Parsed Data
Option C: Deploying Cribl on a Splunk Indexer (when no HFs are available)

Note about Splunk warnings

If you come across messages similar to below, on startup, or in logs:
Invalid value in stanza [route2criblQueue]/[hecCriblQueue] in /opt/splunk/etc/apps/cribl/default/transforms.conf, line 11: (key: DEST_KEY, value: criblQueue) / line 24: (key: DEST_KEY, value: $1)
please ignore them. They are benign warns.

Option A. Deploying Cribl on a Splunk Heavy Forwarder


Overview: HF delivers data to Cribl (local). Cribl processes it and then load balances it out to downstream receivers, typically indexers.

1. Configure Splunk to route data to Cribl

Assuming Cribl is installed as an app on a Splunk Heavy Forwarder these are the configuration files and their settings needed to have Splunk send data to Cribl. (Note: these configs ship with Cribl app by default.)

[tcpout]
disabled = false 
indexAndForward = true
defaultGroup = nowhere

[tcpout:cribl]
server=127.0.0.1:10000
sendCookedData=true
useACK = false
negotiateNewProtocol = false
negotiateProtocolLevel = 0
[route2cribl]
SOURCE_KEY = _MetaData:Index
REGEX = ^[^_]
DEST_KEY = _TCP_ROUTING
FORMAT = cribl 

[route2criblQueue]
SOURCE_KEY = _MetaData:Index
REGEX = ^[^_]
DEST_KEY = queue
FORMAT = criblQueue

[route2local]
SOURCE_KEY = _MetaData:Index
REGEX = ^[_]
DEST_KEY = _INDEX_AND_FORWARD_ROUTING
FORMAT = local 


[hecCriblQueue]
SOURCE_KEY = field:_CRIBL_QUEUE
REGEX = (.*)
DEST_KEY = queue
FORMAT = $1

[hecCriblTcpRouting]
SOURCE_KEY = field:_CRIBL_TCP_ROUTING
REGEX = (.*)
DEST_KEY = _TCP_ROUTING
FORMAT = $1

[accepted_keys]
route2local = _INDEX_AND_FORWARD_ROUTING
criblpipe = __CRIBL_PIPE

Note: the props.conf stanza below will apply the above transforms to everything. Depending on your requirements you may want to selectively apply to a subset of your sources, sourcetypes or hosts.

[default]
TRANSFORMS-cribl = route2criblQueue, route2cribl, hecCriblQueue, hecCriblTcpRouting, route2local

2. Configure Cribl to send data to Splunk

To send data from Cribl to a set of Splunk indexers use the Cribl UI to go to Destinations | Splunk Load Balanced and enter the required information.

Special Note: Configuring Cribl with a subset of your data

Let's assume only events from source /path/to/foo.log are required to go thru Cribl. Change apps/cribl/local/props.conf per below:

[default]
TRANSFORMS-cribl =

[source::...foo.log]
TRANSFORMS-cribl = route2criblQueue, route2cribl

Option B. Deploying Cribl on a Splunk Indexer Listening for Parsed Data


Overview: HF(s) delivers data to indexers on a port that Cribl listens to. Cribl processes it and then load balances it out to the rest of the indexers.

1. Disable routing of local data to Cribl

Use your preferred/required configuration management system, deploy the following change in Cribl app.

[default]
TRANSFORMS-cribl =

2. Configure Cribl to ingest parsed Splunk data

On the Cribl UI go to Sources | Splunk and configure a port for incoming Splunk data.

3. Configure your HFs

Use your preferred/required configuration management system and point your HFs to this port. Ensure that protocol negotiation settings are set as below:

[tcpout:<cribl_target_group>]
.....
useACK = false
negotiateNewProtocol = false
negotiateProtocolLevel = 0

4. Configure Cribl to send data to rest of Splunk indexers

To send data from Cribl to a set of Splunk indexers use the Cribl UI to go to Destinations | Splunk Load Balanced and enter the required information.

Option C. Deploying Cribl on a Splunk Indexer (when no HFs are available)


Overview: Indexer delivers data to Cribl (local). Cribl processes it and then load balances it out to the rest of the indexers. This is typically when no HFs are available.

This configuration is identical to Option A above. In this case the indexer behaves as a heavy forwarder.