Cribl LogStream – Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up here)
Download entire manual as PDF – v.3.1.1

Metrics

Cribl LogStream supports receiving metrics in these wire formats/protocols: StatsD, StatsD Extended, and Graphite. Automatic protocol detection happens on the first line received over a TCP connection or a UDP packet. Lines not matching the detected protocol are dropped.

📘

Type: Push | TLS Support: No | Event Breaker Support: No

Configuring Cribl LogStream to Receive Metrics

From the top nav of a LogStream instance or Group, select Sources, then select [Push >] Metrics from the Data Sources page's tiles or the Sources left nav. Click + Add New to open the Metrics > New Source modal, which provides the following fields.

General Settings

Input ID: Enter a unique name to identify this Source definition.

Address: Enter the hostname/IP to listen to. Defaults to 0.0.0.0.

UDP port: Enter the UDP port number to listen on. Not required if listening on TCP.

TCP port: Enter the TCP port number to listen on. Not required if listening on UDP.

Processing Settings

Fields (Metadata)

In this section, you can add fields/metadata to each event using Eval-like functionality.

Name: Field name.

Value: JavaScript expression to compute field's value (can be a constant).

Pre-Processing

In this section's Pipeline drop-down list, you can select a single existing Pipeline to process data from this input before the data is sent through the Routes.

Advanced Settings

Enable Proxy Protocol: Enable if the connection is proxied by a device that supports Proxy Protocol v1 or v2.

IP allowlist regex: Regex matching IP addresses that are allowed to send data. Defaults to .* (i.e., all IPs.)

Max buffer size (events) : Maximum number of events to buffer when downstream is blocking. Defaults to 1000.

Internal Fields

Cribl LogStream uses a set of internal fields to assist in handling of data. These "meta" fields are not part of an event, but they are accessible, and Functions can use them to make processing decisions.

Fields for this Source:

  • __srcIpPort
  • __metricsInType

Metric Event Schema and Destination Support

Metric data is read into the following event schema:

_metric - the metric name
_metric_type - the type of the metric (gauge, counter, timer)
_value - the value of the metric
_time - metric_time or Date.now()/1000
dim1 - value of dimension1
dim3 - value of dimension2
....

LogStream places sufficient information into a field called __criblMetric to enable these events to be properly serialized out to any metric outputs (independent of the input type).

The following Destinations natively support the __criblMetric field:

  • Splunk
  • Splunk HEC
  • InfluxDB
  • Statsd
  • Statsd Extended
  • Graphite

Data Format/​Protocol Examples

StatsD

Format: MetricName:value|type

metric1:100|g
metric2:200|ms
metric.dot.3:300.16|c

See the StatsD repo.

StatsD Extended

Format: MetricName:value|type|#dim=value,dim2=value

metric1:100|g|#dim1:val1,dim2:val2,dim3:val3
metric2:200|ms|#dim1:val1,dim2:val2,dim3:val3
metric.dot.3:300.16|c|#dim1:val1,dim2:val2,dim3:val3

Graphite

Format: MetricName[;dim1=val1[;dim2=val2]] value time

metric1;dim1=val1;dim2=val2 100 9999
metric2;dim1=val1;dim2=val2 200 9999
metric.dot.3;dim1=val1;dim2=val2 300.16 9999.16
metric1 100 9999
metric2 200 9999
metric.dot.3 300.16 9999.16

See the Graphite (also known as Carbon) plaintext protocol.

Updated about a month ago

Metrics


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.