Cribl - Docs

Getting started with Cribl LogStream

Questions? We'd love to help you! Meet us in #cribl (sign up)
Download manual as PDF

    Documentation

Splunk App Deployment

Deploying Cribl App for Splunk

In a Splunk environment, Cribl can be installed and configured as a Splunk app and depending on your requirements and architecture, it can run either on a Search Head, Heavy Forwarder (strongly advised) or an Indexer.

Running on a Search Head (SH)

When running on a SH, Cribl is set on mode-searchhead, the default mode for the app. It listens for localhost traffic generated by a custom command -| criblstream. The command is used to forward search results to the Cribl instance's TCPJSON input on port 10420 but it's also capable of sending to any other Cribl instance listening for TCPJSON. Once in Cribl, data can be processed and forwarded to any of the supported destinations. In addition, several out-of-the box saved searches are ready to run and send their results to Cribl with single click.

Installing the Cribl App for Splunk on a SH

  • Select an instance where to install
  • Ensure that ports 10000, 10420 and 9000 are available. See Before Deploying section for more info.
  • Get the bits here and install as a regular Splunk app.
  • Restart the Splunk instance
  • Go to https://<instance>/en-US/app/cribl or https://<instance>:9000 and login with a Splunk admin role credentials.

Typical Use Cases for Search Head mode

  • Working with search results in a Cribl pipeline
  • Sending search results to any Destination supported by Cribl.

Running on a Heavy Forwarder (HF)

When running on an HF, Cribl is set on mode-hwf, and receives events from the local Splunk process per routing configurations in props.conf and transforms.conf. Data is first parsed and processed by Splunk pipelines and then by Cribl. By default all data except internal indexes are routed out to Cribl right after the Typing pipeline.

Cribl is capable of accepting data streams (un-broken events) or events from other sources. In this case, the HF will deliver events locally to Cribl which processes them and sends them to one or more destinations downstream. When receivers are Splunk indexers Cribl can also load balance across them.

Installing the Cribl App for Splunk on a HF

  • Select an instance where to install
  • Ensure that ports 10000, 10420 and 9000 are available. See here.
  • Get the bits here and install as a regular Splunk app.
  • Set Cribl in mode-hwf: $SPLUNK_HOME/etc/apps/cribl/bin/cribl mode-hwf
    • Note: SPLUNK_HOME environment variable must be defined
  • Restart the Splunk instance
  • Go to https://<instance>:9000 and login with a Splunk admin role credentials.

Note about Splunk warnings

If you come across messages similar to below, on startup, or in logs:
Invalid value in stanza [route2criblQueue]/[hecCriblQueue] in /opt/splunk/etc/apps/cribl/default/transforms.conf, line 11: (key: DEST_KEY, value: criblQueue) / line 24: (key: DEST_KEY, value: $1)
please ignore them. They are benign warns.

Relevant configurations in Cribl App for Splunk on a HF

When Cribl App for Splunk is installed on a HF (in mode-hwf), these are the relevant sections in configuration files that enable Splunk to send data to Cribl.

[tcpout]
disabled = false 
defaultGroup = cribl

[tcpout:cribl]
server=127.0.0.1:10000
sendCookedData=true
useACK = false
negotiateNewProtocol = false
negotiateProtocolLevel = 0
 
[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:__CRIBBLED:indexQueue;has_key:_linebreaker:criblQueue;absent_key:_linebreaker:parsingQueue

[route2cribl]
SOURCE_KEY = _MetaData:Index
REGEX = ^[^_]
DEST_KEY = _TCP_ROUTING
FORMAT = cribl 

[route2criblQueue]
SOURCE_KEY = _MetaData:Index
REGEX = ^[^_]
DEST_KEY = queue
FORMAT = criblQueue
 
[default]
TRANSFORMS-cribl = route2criblQueue, route2cribl

Configuring Cribl with a subset of your data

The props.conf stanza above will apply the above transforms to everything. Depending on your requirements you may want to target a subset of your sources, sourcetypes or hosts. For example, the diagram below shows the effective configurations of outputs.conf, props.conf and transforms.conf to send <bluedata> events thru Cribl.

Configure Cribl to send data to Splunk Indexers

To send data from Cribl to a set of Splunk indexers, use the Cribl UI to go to Destinations | Splunk Load Balanced and enter the required information.

Running on a Indexer

Cribl can natively accept data streams (un-broken events) or events from sources. In this case, data comes directly into Cribl which processes it then sends it downstream, including the local Splunk indexer instance. This is exactly like a Standalone Deployment but using a Splunk Indexer instance as the host.

Splunk App Deployment

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.