Cribl LogStream – Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up)
Download entire manual as PDF - v2.4.2

Splunk App Deployment *

Getting started with Cribl App for Splunk

🚧

Cribl App for Splunk for HFs Is Deprecated as of Cribl LogStream v.2.1

Cribl will continue to support this package, but customers are advised to begin planning now for the eventual removal of support.

See Single-Instance Deployment and Distributed Deployment for alternatives.

Deploying Cribl App for Splunk

In a Splunk environment, Cribl LogStream can be installed and configured as a Splunk app (Cribl App for Splunk). Depending on your requirements and architecture, it can run either on a Search Head or on a Heavy Forwarder. Cribl App for Splunk cannot be used in a Cribl LogStream Distributed Deployment as a Master or managed as Worker.

Running on a Search Head (SH)

When running on an SH, Cribl LogStream is set to mode-searchhead, the default mode for the app. It listens for localhost traffic generated by a custom command: | criblstream. The command is used to forward search results to the LogStream instance's TCP JSON input on port 10420, but it's also capable of sending to any other LogStream instance listening for TCP JSON.

Once received, data can be processed and forwarded to any of the supported Destinations. In addition, several out-of-the box saved searches are ready to run and send their results to Cribl with a single click.

Installing the Cribl App for Splunk on an SH

  • Select an instance on which to install.
  • Ensure that ports 10000, 10420, and 9000 are available. See the Requirements section for more info.
  • Get the bits here, and install as a regular Splunk app.
  • Restart the Splunk instance.
  • Go to https://<instance>/en-US/app/cribl or https://<instance>:9000, and log in with Splunk admin role credentials.

Typical Use Cases for Search Head Mode

  • Working with search results in a Cribl LogStream pipeline.
  • Sending search results to any Destination supported by Cribl LogStream.

Running on a Heavy Forwarder (HF)

When running on an HF, Cribl LogStream is set to mode-hwf. It receives events from the local Splunk process per routing configurations in props.conf and transforms.conf. Data is parsed and processed first by Splunk pipelines, and then by LogStream. By default, all data except internal indexes is routed out right after the Typing pipeline.

Cribl LogStream is capable of accepting data streams (unbroken events) or events from other sources. In this case, the HF will deliver events locally to LogStream, which processes them and sends them to one or more destinations downstream. When receivers are Splunk indexers, LogStream can also load-balance across them.

Installing the Cribl App for Splunk on an HF

  • Select an instance on which to install.
  • Ensure that ports 10000, 10420, and 9000 are available. See here.
  • Get the bits here, and install as a regular Splunk app.
  • Set Cribl to mode-hwf: $SPLUNK_HOME/etc/apps/cribl/bin/cribl mode-hwf.

⚠ī¸

The SPLUNK_HOME environment variable must be defined.

  • Restart the Splunk instance.
  • Go to https://<instance>:9000 and log in with Splunk admin role credentials.

Note About Splunk Warnings✅

If you come across messages similar to the following example, on startup or in logs, please ignore them. They are benign warnings.

Invalid value in stanza [route2criblQueue]/[hecCriblQueue] in /opt/splunk/etc/apps/cribl/default/transforms.conf, line 11: (key: DEST_KEY, value: criblQueue) / line 24: (key: DEST_KEY, value: $1)

Relevant configurations in Cribl App for Splunk on an HF

When Cribl App for Splunk is installed on an HF (in mode-hwf), below are the relevant sections in configuration files that enable Splunk to send data to Cribl LogStream:

[tcpout]
disabled = false 
defaultGroup = cribl

[tcpout:cribl]
server=127.0.0.1:10000
sendCookedData=true
useACK = false
negotiateNewProtocol = false
negotiateProtocolLevel = 0

[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:__CRIBBLED:indexQueue;has_key:_linebreaker:criblQueue;absent_key:_linebreaker:parsingQueue

[route2cribl]
SOURCE_KEY = _MetaData:Index
REGEX = ^[^_]
DEST_KEY = _TCP_ROUTING
FORMAT = cribl 

[route2criblQueue]
SOURCE_KEY = _MetaData:Index
REGEX = ^[^_]
DEST_KEY = queue
FORMAT = criblQueue

[default]
TRANSFORMS-cribl = route2criblQueue, route2cribl

Configuring Cribl LogStream with a Subset of Your Data

The props.conf stanza above will apply the above transforms to everything. Depending on your requirements, you might want to target only a subset of your sources, sourcetypes, or hosts. For example, the diagram below shows the effective configurations of outputs.conf, props.conf, and transforms.conf to send <bluedata> events through Cribl LogStream.

Configure Cribl LogStream to Send Data to Splunk Indexers

To send data from Cribl LogStream to a set of Splunk indexers, use the LogStream UI to go to Destinations > Splunk Load Balanced, then enter the required information.

Updated about a month ago

Splunk App Deployment *

Getting started with Cribl App for Splunk

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.