Cribl LogStream – Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up here)
Download entire manual as PDF – v.3.1.1


Cribl LogStream supports receiving metrics in these wire formats/protocols: StatsD, StatsD Extended, and Graphite. Automatic protocol detection happens on the first line received over a TCP connection or a UDP packet. Lines not matching the detected protocol are dropped.


Type: Push | TLS Support: No | Event Breaker Support: No

Configuring Cribl LogStream to Receive Metrics

From the top nav of a LogStream instance or Group, select Sources, then select [Push >] Metrics from the Data Sources page's tiles or the Sources left nav. Click + Add New to open the Metrics > New Source modal, which provides the following fields.

General Settings

Input ID: Enter a unique name to identify this Source definition.

Address: Enter the hostname/IP to listen to. Defaults to

UDP port: Enter the UDP port number to listen on. Not required if listening on TCP.

TCP port: Enter the TCP port number to listen on. Not required if listening on UDP.

Processing Settings

Fields (Metadata)

In this section, you can add fields/metadata to each event using Eval-like functionality.

Name: Field name.

Value: JavaScript expression to compute field's value (can be a constant).


In this section's Pipeline drop-down list, you can select a single existing Pipeline to process data from this input before the data is sent through the Routes.

Advanced Settings

Enable Proxy Protocol: Enable if the connection is proxied by a device that supports Proxy Protocol v1 or v2.

IP allowlist regex: Regex matching IP addresses that are allowed to send data. Defaults to .* (i.e., all IPs.)

Max buffer size (events) : Maximum number of events to buffer when downstream is blocking. Defaults to 1000.

Internal Fields

Cribl LogStream uses a set of internal fields to assist in handling of data. These "meta" fields are not part of an event, but they are accessible, and Functions can use them to make processing decisions.

Fields for this Source:

  • __srcIpPort
  • __metricsInType

Metric Event Schema and Destination Support

Metric data is read into the following event schema:

_metric - the metric name
_metric_type - the type of the metric (gauge, counter, timer)
_value - the value of the metric
_time - metric_time or
dim1 - value of dimension1
dim3 - value of dimension2

LogStream places sufficient information into a field called __criblMetric to enable these events to be properly serialized out to any metric outputs (independent of the input type).

The following Destinations natively support the __criblMetric field:

  • Splunk
  • Splunk HEC
  • InfluxDB
  • Statsd
  • Statsd Extended
  • Graphite

Data Format/​Protocol Examples


Format: MetricName:value|type


See the StatsD repo.

StatsD Extended

Format: MetricName:value|type|#dim=value,dim2=value



Format: MetricName[;dim1=val1[;dim2=val2]] value time

metric1;dim1=val1;dim2=val2 100 9999
metric2;dim1=val1;dim2=val2 200 9999;dim1=val1;dim2=val2 300.16 9999.16
metric1 100 9999
metric2 200 9999 300.16 9999.16

See the Graphite (also known as Carbon) plaintext protocol.

Updated about a month ago


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.