Skip to main content
Version: 3.2

Config Files

Understanding Configuration Paths and Files

Even though all LogStream Routes, Pipelines, and Functions can be managed from the UI, it's important to understand how the configuration works under the hood. Here is how configuration paths and files are laid out on the filesystem.

Path PlaceholderExpanded Path
$CRIBL_HOMEStandalone Install:
/path/to/install/cribl/ – referred to
below as $CRIBL_HOME

Cribl App for Splunk Install:
$SPLUNK_HOME/etc/apps/cribl/

All paths below are relative to $CRIBL_HOME in a single-instance deployment, or to $CRIBL_HOME/groups/<group‑name>/ in a distributed deployment.

CategoryRelative Path
Default Configurations
Out-of-the-box defaults (rewritable) and libraries (expandable)
default/cribl
Local Configurations
User-created integrations and resources
local/cribl
System Configuration(default|local)/cribl/cribl.yml
See cribl.yml
API Configuration(default|local)/cribl/cribl.yml > [api] section
See cribl.yml
Source Configuration(default|local)/cribl/inputs.yml
See inputs.yml
Destination Configuration(default|local)/cribl/outputs.yml
See outputs.yml
License Configuration(default|local)/cribl/licenses.yml
Regexes Configuration(default|local)/cribl/regexes.yml
Breakers Configuration(default|local)/cribl/breakers.yml
Limits Configuration(default|local)/cribl/limits.yml
Pipelines Configuration(default|local)/cribl/pipelines/<pname>
Each Pipeline's conf is contained therein.
Routes Configuration(default|local)/cribl/pipelines/routes.yml
Functions(default|local)/cribl/functions/<function_name>
Each function's code, conf is contained therein.
Functions Configuration(default|local)/cribl/functions/<function_name>/...
Each function's conf is contained therein.
Roles Configuration(default|local)/cribl/roles.yml
RBAC Role definitions. See roles.yml.
Policies Configuration(default|local)/cribl/policies.yml
RBAC Policy definitions. See policies.yml.

Configurations and Restart

  • Configuration changes resulting from most UI interactions – for instance, changing the order of Functions in a Pipeline, or changing the order of Routes – do not require restarts.
  • Some configuration changes in the Settings UI do require restarts. You will be prompted to confirm before restarting.
  • All direct edits to configuration files in (bin|local|default)/cribl/... will require restarts.
  • Worker Nodes might temporarily disappear from the Leader's Workers tab while restarting.
  • When using the Cribl App for Splunk, changes to Splunk configuration files might or might not require restarts. Please check current Splunk docs.

Configuration Layering and Precedence

Similar to most *nix systems, Cribl configurations in local take precedence over those in default. There is no layering of configuration files.

Editing Configuration Files Manually

When config files must be edited manually, save all changes in local.