Cribl LogStream – Docs

Getting started with Cribl LogStream

Questions? We'd love to help you! Meet us in #cribl (sign up)
Download manual as PDF - v2.2.0

    Docs Home

Splunk Single Instance

Splunk Enterprise is a streaming Destination type.

Configuring Cribl LogStream to Output to Splunk Destinations


While on the Data Destinations screen, select Splunk from the tiles or the left menu, then click Add New. The resulting New Splunk Single Instance destination pane contains the following fields.

Output ID: Enter a unique name to identify this Splunk Destination definition.

Address: Hostname of the Splunk receiver.

Port: The port number on the host.

Nested field serialization: Specifies how to serialize nested fields into index-time fields. Defaults to None.

Throttling: Throttle rate in bytes per second. Multiple byte units such as KB, MB, GB etc. are also allowed. E.g., 42 MB. Default value of 0 indicates no throttling. When throttle engaged, excesses data will be dropped only if Backpressure Behavior is set to drop, and blocked for all other settings.

Backpressure behavior: Select whether to block, drop, or queue events when all receivers in this group are exerting backpressure. Defaults to Block.

TLS Settings (Client Side)

Enabled defaults to No. When toggled to Yes:

Validate server certs: Require client to reject connections to servers whose certs are not signed by one of the supplied CAs. Defaults to No.

Server name (SNI): Server name for the SNI (Server Name Indication) TLS extension. This must be a host name, not an IP address.

Certificate name: The name of the predefined certificate.

CA certificate path: Path on client containing CA certificates (in PEM format) to use to verify the server's cert. Path can reference $ENV_VARS.

Private key path (mutual auth): Path on client containing the private key (in PEM format) to use. Path can reference $ENV_VARS. Use only if mutual auth is required.

Certificate path (mutual auth): Path on client containing certificates in (PEM format) to use. Path can reference $ENV_VARS. Use only if mutual auth is required.

Passphrase: Passphrase to use to decrypt private key.

Single .pem File

If you have a single .pem file containing cacert, key, and cert sections, enter it in all of these fields above: CA certificate path, Private key path (mutual auth), and Certificate path (mutual auth).

Timeout Settings

Connection timeout: Amount of time (in milliseconds) to wait for the connection to establish, before retrying. Defaults to 10000.

Write timeout: Amount of time (in milliseconds) to wait for a write to complete, before assuming connection is dead. Defaults to 60000.

Conditioning Pipeline

Conditioning Pipeline: Pipeline to process data before sending the data out using this output.

Notes about Forwarding to Splunk


  • Data sent to Splunk is not compressed.

  • If events have a Cribl LogStream internal field called __criblMetrics, they'll be forwarded to Splunk as metric events.

  • If events do not have a _raw field, they'll be serialized to JSON prior to sending to Splunk.

Updated 11 days ago

Splunk Single Instance


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.