On This Page

Home / Edge/ Integrations/Sources

Sources

Each Cribl Edge Source is a configuration that enables Edge nodes to collect or receive observability data – logs, metrics, application data, and so on – in real time. Edge can receive continuous data input from Splunk, HTTP senders, Elastic Beats, Prometheus, TCP JSON, and many others. Sources can receive data from either IPv4 or IPv6 addresses.

Cribl Edge offers a configuration modal for each type of supported Source. However, you can add multiple instances of each Source type – with each configured to match the parameters of the corresponding sender. For example, you can have multiple File Monitors and multiple listeners for Syslog, Splunk, Elastic Beats, Prometheus, TCP JSON, and many others.

System and Internal Sources

Sources that generate data locally at the Edge Node, monitor resources, or move data among Edge Nodes and/or Stream Workers within your Cribl deployment.

Push Sources

Supported data Sources that send to Cribl Edge.

Comparison of Generic Push Sources

This table compares generic, protocol-level Push Sources. Refer to this table when you need to ingest raw data or custom formats over basic protocols like HTTP, TCP, or UDP.

SourceKey DifferentiatorBest For…
HTTP/S (Bulk API)Protocol-aware: Understands and responds using specific API semantics, including acknowledgments.Receiving data from systems that require custom or generic HTTP/S event ingestion.
Raw HTTP/SProtocol-agnostic: Accepts any HTTP/S payload without validating its structure.Capturing any arbitrary or custom HTTP/S traffic where only the raw payload matters.
TCP JSONContent-aware: Specifically designed to parse a stream of distinct JSON objects.Ingesting a continuous stream of well-formed JSON objects over a reliable TCP connection.
TCP (Raw)Content-agnostic: Treats the incoming data as an unstructured stream of bytes.Ingesting binary data, custom application protocols, or any non-JSON data over TCP.
UDP (Raw)Stateless with best-effort delivery: Offers lightweight, connectionless data ingestion.High-volume, loss-tolerant data streams like syslog, NetFlow, or SNMP traps.

Pull Sources

Cribl Edge does not contain any Sources categorized as Pull. The contents of the Pull tab will be blank.

Configuring and Managing Sources

For each Source type, you can create multiple definitions, depending on your requirements.

To configure Sources, from the top nav, select Manage, then select a Fleet to configure. Then, you have two options:

  • To access the graphical QuickConnect UI, select Collect. Next, select either Add New or (if displayed), select Existing.

  • To access the Routing UI, select More > Sources. On the resulting Data Sources page’s tiles or left menu, select the desired type, then select Add New.

Capturing Source Data

To capture data from a single enabled Source, you can bypass the Preview pane, and instead capture directly from a Manage Sources page. Select the Live button beside the Source you want to capture.

In order to capture live data, you must have Edge Nodes registered to the Fleet for which you’re viewing events. You can view registered Edge Nodes from the Status tab in the Source.

Source > Live button
Source > Live button

You can also start an immediate capture from within an enabled Source’s configuration modal, by selecting the Live Data tab.

Source modal > Live Data tab
Source modal > Live Data tab

Monitoring Source Status

You can get a quick overview of Source health status by referring to their status icons.

Additionally, each Source’s configuration modal offers two tabs for monitoring: Status and Charts.

Source Status Icons

Source status icons are available on the Data > Destinations page and for each individual Source in the list for a specific Source type.

The icons have the following meanings:

IconMeaning
Healthy. Operating correctly.
Warning. Experiencing issues.
The Source is not functioning fully. Specific conditions will depend on the Source type.
Critical. Experiencing critical issues.
Drill down to the Source’s Status tab to find out the details.
Disabled.
The Source is configured, but not enabled.
No health metrics available.
This may mean that a Source is enabled, but has not been deployed yet.
Inactive. When using GitOps, a Source appears Inactive if its Environment field (configured under Advanced Settings) does not match the currently active environment determined by the deployed Git branch. This ensures integrations only activate in their designated environments, preventing unintended data flow or misconfiguration.

Status Tab

The Status tab provides details about the Edge Nodes in the Fleet and their status. An icon next to each Edge Node uses color to clearly signal its health:

  • : All systems go! Your Edge Node is operating normally.
  • : Attention needed. There’s a potential issue with this Edge Node.
  • : Stop! This Edge Node has encountered a critical error.

The way you view Edge Node statuses depends on the size of your Fleet:

  • Fewer than 1000 Edge Nodes: All Edge Nodes are conveniently displayed on the Status tab, along with their statuses. Use the Status checkboxes at the top to filter the list by health (healthy, warning, error).

    Select any Edge Node row to view specific details to help diagnose issues. The specific set of information provided depends on the Source type. Keep in mind that this data only reflects process 0 for each Edge Node.

  • More than 1000 Edge Nodes: With a larger Fleet, you can select a specific Edge Node from the drop-down menu (showing up to 100 Nodes). You can search by hostname or GUID to find a specific Node. You can also use the Status checkboxes to filter which Edge Nodes appear in the drop-down list.

The content of the Status tab is loaded live when you open it and only displayed when all the data is ready. With a lot of busy Edge Nodes in a group, or nodes located far from the Leader, there may be a delay before you see any information.

The statistics presented are reset when the Edge Node restarts.

Charts Tab

The Charts tab presents a visualization of the most recent 10 minutes of activity on the Source. The following data is available:

  • Total events in
  • Average throughput (events per second)
  • Total bytes in
  • Average throughput (bytes per second)

This data (in contrast with the status tab) is read almost instantly and does not reset when restarting an Edge Node.

Preconfigured Sources

To accelerate your setup, Cribl Edge ships with several common Sources configured but not switched on. Open, clone (if desired), modify, and enable any of these preconfigured Sources to get started quickly.

On a Cribl.Cloud deployment, do not delete any preconfigured Sources. If you don’t plan to use them, keep them disabled.

  • System Metrics – Basic Level
  • System State > in_system_state
  • File Monitor > in_file_auto – Auto Discovery Mode
  • File Monitor > in_file_varlog – Manual Discovery Mode
  • AppScope > in_appscope – Unix Domain Socket listener
  • Kubernetes Events > in_kube_events
  • Kubernetes Logs > in_kube_logs
  • Kubernetes Metrics > in_kube_metrics
  • Cribl Internal > CriblLogs – Internal
  • Cribl Internal > CriblMetrics – Internal
  • Windows Metrics > in_windows_metrics
  • Windows Event Logs > in_win_event_logs
  • Journal Files > in_journal_local

Single Source Support

The following Source types are limited to preconfigured Sources:

  • Cribl Internal
  • Kubernetes Events
  • Kubernetes Logs
  • Kubernetes Metrics
  • System Metrics
  • System State
  • Windows Metrics