Cribl LogStream supports receiving Splunk data from Universal or Heavy Forwarders.
Type: Push | TLS Support: YES | Event Breaker Support: YES
Select Data > Sources, then select Splunk > Splunk TCP from the Data Sources page's tiles or left menu. Click Add New to open the Splunk TCP > New Source modal, which provides the fields outlined below.
LogStream ships with a Splunk TCP Source preconfigured to listen on Port 9997. You can clone or directly modify this Source to further configure it, and then enable it.
Input ID: Enter a unique name to identify this Splunk Source definition.
Address: Enter hostname/IP to listen for Splunk data. E.g.,
Port: Enter port number.
Enabled defaults to
No. When toggled to
Certificate name: Name of the predefined certificate.
Private key path: Path on server where to find the private key to use in PEM format. Path can reference $ENV_VARS.
Passphrase: Passphrase to use to decrypt private key.
Certificate path: Server path at which to find certificates (in PEM format) to use. Path can reference
*CA certificate path : Server path at which to find CA certificates (in PEM format) to use. Path can reference
Authenticate client (mutual auth): Require clients to present their certificates. Used to perform mutual authentication using SSL certs. Defaults to
No. When toggled to
Validate client certs: Reject certificates that are not authorized by a CA in the CA certificate path, or by another trusted CA (e.g., the system's CA). Defaults to
Common name: Regex matching subject common names in peer certificates allowed to connect. Defaults to
.*. Matches on the substring after
CN=. As needed, escape regex tokens to match literal characters. E.g., to match the subject
CN=worker.cribl.local, you would enter:
Minimum TLS version: Optionally, select the minimum TLS version to accept from connections.
Maximum TLS version: Optionally, select the maximum TLS version to accept from connections.
Event Breaker rulesets: A list of event breaking rulesets that will be applied to the input data stream before the data is sent through the Routes. Defaults to
System Default Rule.
Event Breaker buffer timeout: The amount of time (in milliseconds) that the event breaker will wait for new data to be sent to a specific channel, before flushing out the data stream, as-is, to the Routes. Defaults to
In this section, you can add fields/metadata to each event, using Eval-like functionality.
Name: Field name.
In this section's Pipeline drop-down list, you can select a single existing Pipeline to process data from this input before the data is sent through the Routes.
+ Add Token : Click to add authorization tokens. Each token's section provides the fields listed below. If no tokens are specified, unauthenticated access will be permitted.
Token: Shared secrets to be provided by any Splunk forwarder (Authorization: <token>). Click Generate to create a new secret.
Description: Optional description of this token.
Enable proxy protocol: Defaults to
No. Toggle to
Yes if the connection is proxied by a device that supports Proxy Protocol V1 or V2.
IP whitelist regex: Regex matching IP addresses that are allowed to establish a connection. Defaults to
.* (i.e., all IPs).
Max active connections: Maximum number of active connections allowed per Worker Process. Defaults to
1000. Set a lower value if connection storms are causing the Source to hang. Set
0 for unlimited connections.
Cribl LogStream uses a set of internal fields to assist in handling of data. These "meta" fields are not part of an event, but they are accessible, and Functions can use them to make processing decisions.
Field for this Source:
To configure a Splunk forwarder (UF, HF) use the following outputs.conf stanzas:
[tcpout] disabled = false defaultGroup = cribl, <optional_clone_target_group>, [tcpout:cribl] server = [<cribl_ip>|<cribl_host>]:<port>, [<cribl_ip>|<cribl_host>]:<port>, ... sendCookedData=true # As of Splunk 6.5, using forceTimebasedAutoLB is no longer recommended. Ensure this is left at default for UFs # forceTimebasedAutoLB = false
Updated 4 days ago