These docs are for Cribl Edge 4.3 and are no longer actively maintained.
See the latest version (4.13).
Config Files
Understanding Configuration Paths and Files
Even though all Cribl Edge Routes, Pipelines, and Functions can be managed from the UI, it’s important to understand how the configuration works under the hood. Here is how configuration paths and files are laid out on the filesystem.
| Path Placeholder | Expanded Path |
|---|---|
$CRIBL_HOME | Standalone Install:/path/to/install/cribl/ – referred tobelow as $CRIBL_HOMECribl App for Splunk Install: $SPLUNK_HOME/etc/apps/cribl/ |
All paths below are relative to $CRIBL_HOME in a single-instance deployment, or to $CRIBL_HOME/groups/<group‑name>/ in a distributed deployment.
| Category | Relative Path |
|---|---|
| Default Configurations Out-of-the-box defaults (rewritable) and libraries (expandable) | default/cribl |
| Local Configurations User-created integrations and resources | local/cribl |
| System Configuration | (default|local)/cribl/cribl.ymlSee cribl.yml |
| API Configuration | (default|local)/cribl/cribl.yml > [api] sectionSee cribl.yml |
| Source Configuration | (default|local)/cribl/inputs.ymlSee inputs.yml |
| Destination Configuration | (default|local)/cribl/outputs.ymlSee outputs.yml |
| License Configuration | (default|local)/cribl/licenses.yml |
| Regexes Configuration | (default|local)/cribl/regexes.yml |
| Breakers Configuration | (default|local)/cribl/breakers.yml |
| Limits Configuration | (default|local)/cribl/limits.yml |
| Service Processes Configuration | (default|local)/cribl/service.ymlSee service.yml |
| Pipelines Configuration | (default|local)/cribl/pipelines/<pipeline_name>Each Pipeline’s config resides within its subdirectory. |
| Packs Configuration | default/<pack_name>Each Pack’s code and config reside within its subdirectory. |
| Routes Configuration | (default|local)/cribl/pipelines/routes.yml |
| Functions | (default|local)/cribl/functions/<function_name>Each Function’s code resides within its subdirectory. |
| Functions Configuration | (default|local)/cribl/functions/<function_name>/...Each Function’s config resides within its subdirectory. |
| Roles Configuration | (default|local)/cribl/roles.ymlRBAC Role definitions. See roles.yml. |
| Policies Configuration | (default|local)/cribl/policies.ymlRBAC Policy definitions. See policies.yml. |
| Permissions Configuration | (default|local)/cribl/perms.ymlUser permissions. See perms.yml. |
| Secrets Configuration | (default|local)/cribl/secrets.ymlCribl Edge secrets. See secrets.yml. |
Configurations and Restart
You can Restart and Reload via the UI. On the top nav, go to Settings > Global Settings > System > Controls then click on the Reload button or the Restart button.
In a distributed environment, Edge Nodes poll the Leader for configuration changes. Many of these changes require a quick reload to read the new configuration, while others require a restart of the Cribl processes on the Edge Node.
On restarts, be aware of the following:
- Data in process of being received on Syslog/UDP might be dropped.
- Edge Nodes will temporarily disappear from the Leader’s Manage/Edge Node page.
- Aggregations and suppressions will start over.
- The local copy of monitoring metrics on the Edge Nodes, before the restart, will be dropped.
- Any events in RAM for persistent queue (PQ) will be lost. PQ data on disk will persist.
Changes that require reloads include configuration changes to:
- Functions
- Pipelines
- Packs
- Routes
- Lookups
- Parquet schemas
- Global variables
- Group Settings: Limits and Logging Levels
Changes that require restarts include configuration changes to:
- Mode of operation (Leader, distributed Edge Node, Single-instance)
- Fleet assignment
- Event Breakers
- Quick Connects
- Sources
- Destinations
- Group Settings: Advanced Settings, TLS
- Group Settings: Worker Processes - Process Count/Memory
Some general guidelines to keep in mind:
- Configuration changes resulting from most UI interactions – for instance, changing the order of Functions in a Pipeline, or changing the order of Routes – do not require restarts.
- Some configuration changes in the Settings UI do require restarts. You will be prompted to confirm before restarting.
- All direct edits of configuration files in
(bin|local|default)/cribl/...will require restarts. - Edge Nodes might temporarily disappear from the Leader’s Workers tab while restarting.
- A
git commitcommand on the Leader Node’s host (using a freestandinggitclient not embedded in Cribl’s CLI or UI) will require either a reload or restart. - When using the Cribl App for Splunk, changes to Splunk configuration files might or might not require restarts. Please check current Splunk docs.
Configuration Layering and Precedence
Similar to most *nix systems, Cribl configurations in local take precedence over those in default. There is no layering of configuration files.
Editing Configuration Files Manually
When config files must be edited manually, save all changes in
local.