Add an Elasticsearch API Source for Cribl Search
Collect events sent via the Elasticsearch bulk API so you can search them fast with Cribl Search.
What’s an Elasticsearch API Source in Cribl Search?
A Cribl Search data source that receives events from systems that use the Elasticsearch bulk API, such as Beats and Elastic Agent, and stores them in a lakehouse engine for fast access.
Looking for the Elasticsearch API Source in Cribl Stream? See Elasticsearch API Source in Cribl Stream.
To search your Elasticsearch index with federated search-in-place queries, see Connect Cribl Search to Elasticsearch.
What You Need First
To set up this Source, you need:
- Cribl.Cloud Enterprise. For details, see Pricing.
- A lakehouse engine. Get one at lakehouse engines.
- Search Admin Permission, or higher. Learn who can do what at Cribl Search Permissions.
You don’t need Cribl Stream, Edge, or Lake.
Add an Elasticsearch API Source for Cribl Search
On the Cribl.Cloud top bar, select Products > Search > Data > Add Source > Elasticsearch API.
1. Describe Your Source
Under General, give your Source an ID and Description, so you and other Search Admins know what the Source is for and if it’s safe to modify.
The ID must be unique across your Workspace and can contain letters, numbers, underscores, and hyphens. Cribl Search
prefixes it with in_ on save (for example, elasticsearch_api becomes in_elasticsearch_api).
2. Note the Source Endpoint
Under General, note down the Address and Port. You’ll need them to configure your upstream Beats or Elastic Agent to send data here.
Keep the default port unless it conflicts with another service.
3. Set Up Encryption
TLS encryption protects your data in transit between upstream senders and this Source.
Under Encrypt, select Enabled, and set the Minimum TLS version you want to accept.
| TLS version | When to use |
|---|---|
| 1.3 | Recommended. Provides the best security. |
| 1.2 | Use only when connecting to older systems that don’t support TLS 1.3. |
| Older than 1.2 | Avoid if possible. These versions are no longer considered secure. |
4. Set Up Authentication
Authentication ensures only authorized senders can push data to your Source.
Under Authentication, select the Authentication type you want to use:
- None: No authentication. Use only for testing or trusted internal networks.
- Basic: Authenticate with a username and password.
- Basic (credentials secret): Authenticate with a stored text secret that holds the credentials.
- Auth Tokens: Authenticate with bearer tokens.
Basic
Authenticate with a username and password that you set for Cribl Search. This is what your upstream sender (such as Beats or Elastic Agent) will need to provide when sending data to your Source endpoint.
When setting up authentication for your Elasticsearch API Source:
- Under Authentication, select Basic.
- Create a new Username and Password for this Source.
- Configure Elasticsearch to provide the new username and password when sending data to your Source endpoint.
Basic (Credentials Secret)
Authenticate using a stored credentials secret instead of entering a username and password directly. This keeps credentials out of your Source configuration and makes them easier to rotate.
When setting up authentication for your Elasticsearch API Source:
- Under Authentication, select Basic (credentials secret).
- In Credentials secret, select a stored text secret that holds the credentials, or choose Create to add a new one (see Create and Manage Secrets).
- Configure Elasticsearch to provide the secret when sending data to your Source endpoint.
Auth Tokens
An authentication token is a secret shared between Cribl Search and your upstream Elasticsearch instances. Using tokens ensures only authorized senders can push data to your Source.
When setting up authentication for your Elasticsearch API Source:
- Under Authentication, select Auth Tokens.
- Select Add Token, and configure:
- Token secret (text secret): Select a stored text secret that holds the token, or choose Create to add a new one (see Create and Manage Secrets).
- Enable token: Turn on to require this token for incoming requests to your Source. Disable only when testing without authentication.
Next Steps
Confirm with Save. Now, you’re ready to:
- Set Datatype rules for parsing your data. See Shape Your Data.
- Set Dataset rules for organizing your data. See Organize Your Data.
- Configure your Beats or Elastic Agent to send data to the Source endpoint.