Cribl LogStream ā€“ Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up here)
Download entire manual as PDF - v2.4.4

Cribl Internal

The Cribl Internal Source enables you to capture and send LogStream's own internal logs and metrics through Routes and Pipelines. In distributed mode, only Worker Node internal logs can be processed through this Source. (Logs on the Master remain on the Master, since the MasterĀ Node is not part of any processing path.)

šŸ“˜

Type: Internal | TLS Support: N/A | Event Breaker Support: No

Configuring Cribl Internal Logs/Metrics to Behave as a DataĀ Source

Select Data > Sources, then select Cribl Internal from the DataĀ Sources page's tiles or left menu.

Next, on the CriblLogs and/or the CriblMetrics row, slide the Enabled slider to Yes. Confirm your choice in the resulting message box.

To proceed to the configuration options listed below, click anywhere on the CriblLogs or the CriblMetrics row.

Cribl Internal Sources ā€“ click to configure

CriblLogs Settings

General Settings

Enabled: This duplicates the parent page's Enabled slider. Keep it at Yes to enable Cribl logs as a Source.

Input ID: Enter a unique name to identify this CriblLogs Source definition.

Processing Settings

Fields (Metadata)

In this section, you can add fields/metadata to each event, using Eval-like functionality.

Name: Field name.

Value: JavaScript expression to compute field's value (can be a constant).

Pre-Processing

In this section's Pipeline drop-down list, you can select a single existing Pipeline to process data from this input before the data is sent through the Routes.

CriblMetrics Settings

General Settings

Enabled: This duplicates the parent page's Enabled slider. Keep it at Yes to enable Cribl metrics as a Source.

Input ID: Enter a unique name to identify this CriblMetrics Source definition.

Metric name prefix: Enter an optional prefix that will be applied to metrics provided by LogStream. The prefix defaults to cribl.logstream..

šŸ“˜

If LogStream detects source, sourcetype, host, or index fields in metrics from external sources, it copies their values into new dimensions with added event_ prefixes (e.g., event_sourcetype). This leaves the original dimensions (and their values) intact.

Note that you can disable metric collection for any or all of these four fields at SystemĀ SettingsĀ > GeneralĀ SettingsĀ > LimitsĀ > DisableĀ field metrics.

Processing Settings

Fields (Metadata)

In this section, you can add fields/metadata to each event, using Eval-like functionality.

Name: Field name.

Value: JavaScript expression to compute field's value (can be a constant).

Pre-Processing

In this section's Pipeline drop-down list, you can select a single existing Pipeline to process data from this input before the data is sent through the Routes.

Reporting Metrics Less Frequently

By default, LogStream generates internal metrics every 2 seconds. To consume metrics at longer intervals, you can use or adapt the criblā€‘metrics_rollup Pipeline that ships with LogStream. Attach it to your CriblĀ Internal Source as a preā€‘processing Pipeline. The Pipeline's RollupĀ Metrics Function has a default TimeĀ Window of 30 seconds, which you can adjust to a different granularity as needed.

Internal Fields

The following fields will be added to all events/metrics:

  • source: set to cribl.
  • host: set to the hostname of the Cribl instance.

Use these fields to guide these events/metrics through Cribl Routes.

šŸš§

All Cribl internal fields are subject to change and modification. Cribl provides them to assist with analytics and diagnostics, but does not guarantee that they will remain available.

Updated 3 months ago

Cribl Internal


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.