On This Page

Home / Search/ Alert/ Notifications/Notifications via Cribl Stream

Notifications via Cribl Stream

Send Notifications about your scheduled searches through Cribl Stream to multiple downstream services.

This topic shows how to send Notifications to Cribl Stream Worker Groups, which can forward them to multiple downstream services, using workflows you’ve configured to also handle Notifications from Cribl Stream itself (and other Cribl products).

This technique is a convenient alternative to configuring multiple Webhook Notification targets in Cribl Search. Here, you configure a single Webhook target for the Worker Group, and let Cribl Stream multiplex the outbound Notifications from there.

We outline this technique in the following general steps:

Identify Ingest Address

To find the ingest address of a Cribl-managed Worker Group, start in the Cribl.Cloud Organization that hosts your Cribl Search instance:

  1. From the top bar, select Products > Cribl.

  2. From the resulting sidebar, select Data Sources.

  3. Use the Group drop-down to select the Cribl-managed Worker Group where you want to send the alerts.

  4. Under Sources Enabled by Default, find the http entry.

  5. Here, copy the Ingest Address (URL) of your Worker Group. This will point to port 10080. The general format is:
    https://<groupName>.<workspaceName>.<organizationId>.cribl.cloud:10080

An example with the most typical Group and Workspace names, and with a fictitious Organization name: https://default.main.goat-farm.cribl.cloud:10080

For a hybrid Group running on a host that you manage, the ingest address will typically be configured through your load balancer.

Add Webhook Notification Target

  1. Navigate back to Cribl Search: Select Products > Search.

  2. Select Settings > Search > Notification Targets.

  3. Select the Webhook type.

  4. Select Add Target.

  5. Paste the Ingest Address URL that you copied from your Cribl.Cloud Organization, appending /cribl/_bulk as in this example:
    https://default.main.<organizationId>.cribl.cloud:10080/cribl/_bulk

  6. Save the new target as stream_webhook or your desired name.

Configuring the Webhook Notification target
Configuring the Webhook Notification target

Schedule and Save Search and Notification

  1. Create a search, customized according to your needs. The example shown here uses this query:
    dataset="$vt_dummy" | extend alert="true"

  2. Select Actions > Save to open the configuration modal shown below.

Saving the search configuration
Saving the search configuration
  1. Schedule the search, according to your needs. This example sets a * * * * * cron schedule, to repeat the search every minute.
Scheduling the search
Scheduling the search
  1. Add the Notification, pointing to the Webhook target you configured above.
Specifying the Notification
Specifying the Notification
  1. Save the search, with its configured schedule and Notification.

Verify Inflow to Cribl Stream

Next, make sure that Cribl Search is forwarding your Notifications to Cribl Stream:

  1. In Cribl Stream, navigate to your targeted Worker Group.

  2. Open the HTTP Source config modal: Select Sources > HTTP.

  3. Select the Live Data tab, then its Capture button.

  4. Set a long time window (several minutes), then select Start.

  5. Wait. In about a minute, a properly configured alert will appear.

Previewing the Notification’s arrival in Cribl Stream
Previewing the Notification’s arrival in Cribl Stream

Configure Outflow from Cribl Stream

  1. In Cribl Stream, configure or reconfigure a Destination, Pipeline, and Route to relay the alerts to your chosen downstream service(s).

  2. Verify connectivity all the way through to these receivers.

  3. That’s it!