Cribl App for Splunk for HFs Is Deprecated as of Cribl LogStream v.2.1
Cribl will continue to support this package, but customers are advised to begin planning now for the eventual removal of support.
See Single-Instance Deployment and Distributed Deployment for alternatives.
Deploying Cribl App for Splunk
In a Splunk environment, Cribl LogStream can be installed and configured as a Splunk app (Cribl App for Splunk). Depending on your requirements and architecture, it can run either on a Search Head or on a Heavy Forwarder. Cribl App for Splunk cannot be used in a Cribl LogStream Distributed Deployment as a Master or managed as Worker.
Running on a Search Head (SH)
When running on an SH, Cribl LogStream is set to mode-searchhead, the default mode for the app. It listens for localhost traffic generated by a custom command: | criblstream
. The command is used to forward search results to the LogStream instance's TCP JSON input on port 10420
, but it's also capable of sending to any other LogStream instance listening for TCP JSON.
Once received, data can be processed and forwarded to any of the supported Destinations. In addition, several out-of-the box saved searches are ready to run and send their results to Cribl with a single click.
Installing the Cribl App for Splunk on an SH
- Select an instance on which to install.
- Ensure that ports
10000
,10420
, and9000
are available. See the Requirements section for more info. - Get the bits here, and install as a regular Splunk app.
- Restart the Splunk instance.
- Go to
https://<instance>/en-US/app/cribl
orhttps://<instance>:9000
, and log in with Splunk admin role credentials.
Typical Use Cases for Search Head Mode
- Working with search results in a Cribl LogStream pipeline.
- Sending search results to any Destination supported by Cribl LogStream.
Running on a Heavy Forwarder (HF)
When running on an HF, Cribl LogStream is set to mode-hwf. It receives events from the local Splunk process per routing configurations in props.conf
and transforms.conf
. Data is parsed and processed first by Splunk pipelines, and then by LogStream. By default, all data except internal indexes is routed out right after the Typing pipeline.


Cribl LogStream is capable of accepting data streams (unbroken events) or events from other sources. In this case, the HF will deliver events locally to LogStream, which processes them and sends them to one or more destinations downstream. When receivers are Splunk indexers, LogStream can also load-balance across them.


Installing the Cribl App for Splunk on an HF
- Select an instance on which to install.
- Ensure that ports
10000
,10420
, and9000
are available. See here. - Get the bits here, and install as a regular Splunk app.
- Set Cribl to mode-hwf:
$SPLUNK_HOME/etc/apps/cribl/bin/cribl mode-hwf
.
The
SPLUNK_HOME
environment variable must be defined.
- Restart the Splunk instance.
- Go to
https://<instance>:9000
and log in with Splunk admin role credentials.
Note About Splunk Warnings
If you come across messages similar to the following example, on startup or in logs, please ignore them. They are benign warnings.
Invalid value in stanza [route2criblQueue]/[hecCriblQueue] in /opt/splunk/etc/apps/cribl/default/transforms.conf, line 11: (key: DEST_KEY, value: criblQueue) / line 24: (key: DEST_KEY, value: $1)
Relevant configurations in Cribl App for Splunk on an HF
When Cribl App for Splunk is installed on an HF (in mode-hwf
), below are the relevant sections in configuration files that enable Splunk to send data to Cribl LogStream:
[tcpout]
disabled = false
defaultGroup = cribl
[tcpout:cribl]
server=127.0.0.1:10000
sendCookedData=true
useACK = false
negotiateNewProtocol = false
negotiateProtocolLevel = 0
[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:__CRIBBLED:indexQueue;has_key:_linebreaker:criblQueue;absent_key:_linebreaker:parsingQueue
[route2cribl]
SOURCE_KEY = _MetaData:Index
REGEX = ^[^_]
DEST_KEY = _TCP_ROUTING
FORMAT = cribl
[route2criblQueue]
SOURCE_KEY = _MetaData:Index
REGEX = ^[^_]
DEST_KEY = queue
FORMAT = criblQueue
[default]
TRANSFORMS-cribl = route2criblQueue, route2cribl
Configuring Cribl LogStream with a Subset of Your Data
The props.conf
stanza above will apply the above transforms to everything. Depending on your requirements, you might want to target only a subset of your sources, sourcetypes, or hosts. For example, the diagram below shows the effective configurations of outputs.conf
, props.conf
, and transforms.conf
to send <bluedata>
events through Cribl LogStream.


Configure Cribl LogStream to Send Data to Splunk Indexers
To send data from Cribl LogStream to a set of Splunk indexers, use the LogStream UI to go to Destinations > Splunk Load Balanced, then enter the required information.
Updated about a month ago