Splunk App Deployment

Getting started with Cribl App for Splunk


Deploying Cribl App for Splunk

In an on-prem Splunk environment, you can install and configure Cribl Stream as a Splunk app (Cribl App for Splunk), on a Search Head. You cannot use Cribl App for Splunk in a Cribl Stream distributed deployment as a Leader, or as a managed Worker. You cannot install the app on Splunk Cloud or on a Splunk Heavy Forwarder. (See Single-Instance/​Basic Deployment and Distributed Deployment for alternatives.)

Running on a Search Head (SH)

When running on an SH, Cribl Stream is set to mode-searchhead, the default mode for the app. It listens for localhost traffic generated by a custom command: criblstream. The command is used to forward search results to the Cribl Stream instance’s TCP JSON input on port 10420, but it’s also capable of sending to any other Cribl Stream instance listening for TCP JSON.

Once received, data can be processed and forwarded to any of the supported Destinations. In addition, several out-of-the box saved searches are ready to run and send their results to Cribl with a single click.

Installing the Cribl App for Splunk on an SH

  • Select an instance on which to install.
  • Ensure that ports 10000, 10420, and 9000 are available. See the Requirements section for more info.
  • Get the bits here, and install as a regular Splunk app.
  • Restart the Splunk instance.
  • Go to https://<instance>/en-US/app/cribl or https://<instance>:9000, and log in with Splunk admin role credentials.

Typical Use Cases for Search Head Mode

  • Working with search results in a Cribl Stream pipeline.
  • Sending search results to any Destination supported by Cribl Stream.

Commands and Examples

Below are some examples of how to use the criblstream, criblencrypt, and cribldecrypt commands available in this app.

The cribldecrypt command can decrypt events originating from multiple Stream Worker Groups or Edge Fleets only if you use the same key material on all Worker Groups and Fleets encrypting data.

Forward Search Results to a Cribl Stream Instance

The basic command for sending events to a Cribl Pipeline is criblstream, for example:

criblstream command
index="my_index" | criblstream dest=host:port

Search for a Value

Suppose that you want to search events for a particular value. Because events are encrypted, one approach would be to decrypt all events and then search the unencrypted events for your target value. But decrypting large numbers of events takes a long time, and is extremely inefficient.

Here’s a better approach, taking advantage of the fact that the encrypted form of a value is always the same:

  1. Encrypt the target value.
  2. Search the events (which are still encrypted) for the encrypted form of the target value.
  3. If you find events that contain the (encrypted) target value, decrypt them if desired.

You can combine all three steps in a single command:

Search the index for the encrypted target value and decrypt matching events
index="encrypted" \
[ | makeresults | eval encrypted_field="target_value" \
| criblencrypt field=encrypted_field keyclass= 0 \
| fields encrypted_field ] | cribldecrypt

The criblencrypt command requires a field, and either a keyclass (as shown above) or a keyid. For details, see Encryption.

Internal Fields

The Cribl App for Splunk adds the following internal fields to events:

  • _CRIBL_QUEUE
  • _CRIBL_TCP_ROUTING

The app forwards these fields to Splunk, because the transforms.conf file that ships with the app relies on them.

Beginning with version 4.0, only the Cribl App for Splunk adds these fields. Cribl Stream and Cribl Edge do not. (Earlier versions of Cribl Stream did add these fields, but neither Stream itself nor Splunk receivers have processed them in recent versions.)