Crib LogStream - Docs

Getting started with Cribl LogStream

Questions? We'd love to help you! Meet us in #cribl (sign up)
Download manual as PDF - v2.1

    Docs Home

Splunk App Deployment *

Getting started with Cribl App for Splunk

* Cribl App for Splunk for HFs is deprecated as of Cribl LogStream v2.1

Cribl will continue to support this package but customers are advised to begin planning now for the eventual removal of support.
See Single Instance Deployment and Distributed Deployment for alternatives.


Deploying Cribl App for Splunk

In a Splunk environment, Cribl LogStream can be installed and configured as a Splunk app (Cribl App for Splunk) and depending on your requirements and architecture, it can run either on a Search Head or a Heavy Forwarder (strongly advised). Cribl App for Splunk cannot be used in a Cribl LogStream Distributed Deployment or managed by a Cribl Master Node.

Running on a Search Head (SH)

When running on a SH, Cribl LogStream is set on mode-searchhead, the default mode for the app. It listens for localhost traffic generated by a custom command -| criblstream. The command is used to forward search results to the Cribl LogStream instance's TCPJSON input on port 10420 but it's also capable of sending to any other Cribl LogStream instance listening for TCPJSON. Once received, data can be processed and forwarded to any of the supported destinations. In addition, several out-of-the box saved searches are ready to run and send their results to Cribl with single click.

Installing the Cribl App for Splunk on a SH

  • Select an instance where to install
  • Ensure that ports 10000, 10420 and 9000 are available. See Before Deploying section for more info.
  • Get the bits here and install as a regular Splunk app.
  • Restart the Splunk instance
  • Go to https://<instance>/en-US/app/cribl or https://<instance>:9000 and login with a Splunk admin role credentials.

Typical Use Cases for Search Head mode

  • Working with search results in a Cribl LogStream pipeline
  • Sending search results to any Destination supported by Cribl LogStream.

Running on a Heavy Forwarder (HF)

When running on an HF, Cribl LogStream is set on mode-hwf, and receives events from the local Splunk process per routing configurations in props.conf and transforms.conf. Data is first parsed and processed by Splunk pipelines and then by Cribl LogStream. By default all data except internal indexes are routed out right after the Typing pipeline.

Cribl LogStream is capable of accepting data streams (un-broken events) or events from other sources. In this case, the HF will deliver events locally to Cribl LogStream which processes them and sends them to one or more destinations downstream. When receivers are Splunk indexers Cribl LogStream can also load balance across them.

Installing the Cribl App for Splunk on a HF

  • Select an instance where to install
  • Ensure that ports 10000, 10420 and 9000 are available. See here.
  • Get the bits here and install as a regular Splunk app.
  • Set Cribl in mode-hwf: $SPLUNK_HOME/etc/apps/cribl/bin/cribl mode-hwf
    • Note: SPLUNK_HOME environment variable must be defined
  • Restart the Splunk instance
  • Go to https://<instance>:9000 and login with a Splunk admin role credentials.

Note about Splunk warnings

If you come across messages similar to below, on startup, or in logs:
Invalid value in stanza [route2criblQueue]/[hecCriblQueue] in /opt/splunk/etc/apps/cribl/default/transforms.conf, line 11: (key: DEST_KEY, value: criblQueue) / line 24: (key: DEST_KEY, value: $1)
please ignore them. They are benign warns.

Relevant configurations in Cribl App for Splunk on a HF

When Cribl App for Splunk is installed on a HF (in mode-hwf), these are the relevant sections in configuration files that enable Splunk to send data to Cribl LogStream.

[tcpout]
disabled = false 
defaultGroup = cribl

[tcpout:cribl]
server=127.0.0.1:10000
sendCookedData=true
useACK = false
negotiateNewProtocol = false
negotiateProtocolLevel = 0
 
[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:__CRIBBLED:indexQueue;has_key:_linebreaker:criblQueue;absent_key:_linebreaker:parsingQueue

[route2cribl]
SOURCE_KEY = _MetaData:Index
REGEX = ^[^_]
DEST_KEY = _TCP_ROUTING
FORMAT = cribl 

[route2criblQueue]
SOURCE_KEY = _MetaData:Index
REGEX = ^[^_]
DEST_KEY = queue
FORMAT = criblQueue
 
[default]
TRANSFORMS-cribl = route2criblQueue, route2cribl

Configuring Cribl LogStream with a subset of your data

The props.conf stanza above will apply the above transforms to everything. Depending on your requirements you may want to target a subset of your sources, sourcetypes or hosts. For example, the diagram below shows the effective configurations of outputs.conf, props.conf and transforms.conf to send <bluedata> events thru Cribl.

Configure Cribl LogStream to send data to Splunk Indexers

To send data from Cribl LogStream to a set of Splunk indexers, use the UI to go to Destinations | Splunk Load Balanced and enter the required information.

Updated 16 days ago

Splunk App Deployment *

Getting started with Cribl App for Splunk

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.