Add a Splunk TCP Source for Cribl Search
Collect events sent by Splunk Forwarders, including the Splunk Universal Forwarder, so you can search them fast with Cribl Search.
What’s a Splunk TCP Source in Cribl Search?
A Cribl Search data source that receives events from Splunk Universal or Heavy Forwarders over TCP and stores them in a lakehouse engine for fast access.
Looking for the Splunk TCP Source in Cribl Stream? See Splunk TCP Source in Cribl Stream.
What You Need First
To set up this Source, you need:
- Cribl.Cloud Enterprise. For details, see Pricing.
- A lakehouse engine. Get one at lakehouse engines.
- Search Admin Permission, or higher. Learn who can do what at Cribl Search Permissions.
You don’t need Cribl Stream, Edge, or Lake.
Add a Splunk TCP Source for Cribl Search
On the Cribl.Cloud top bar, select Products > Search > Data > Add Source > Splunk TCP.
1. Describe Your Source
Under General, give your Source an ID and Description, so you and other Search Admins know what the Source is for and if it’s safe to modify.
The ID must be unique across your Workspace and can contain letters, numbers, underscores, and hyphens. Cribl Search
prefixes it with in_ on save (for example, splunk_tcp becomes in_splunk_tcp).
2. Note the Source Endpoint
Under General, note down the Address and Port. You’ll need them to configure your Splunk Forwarder to send data here.
Keep the default port unless it conflicts with another service.
3. Set Up Encryption
TLS encryption protects your data in transit between upstream Splunk Forwarders and this Source.
Under Encrypt, select Enabled, and set the Minimum TLS version you want to accept.
| TLS version | When to use |
|---|---|
| 1.3 | Recommended. Provides the best security. |
| 1.2 | Use only when connecting to older systems that don’t support TLS 1.3. |
| Older than 1.2 | Avoid if possible. These versions are no longer considered secure. |
4. Set Up Authentication
An authentication token is a secret shared between Cribl Search and your upstream Cribl Destinations. Using tokens ensures only authorized senders can push data to your Source.
Under Authentication, select Add Token, and configure:
- Token secret (text secret): Select a stored text secret that holds the token, or choose Create to add a new one (see Create and Manage Secrets).
- Enable token: Turn on to require this token for incoming requests to your Source. Disable only when testing without authentication.
Next Steps
Confirm with Save. Now, you’re ready to:
- Set Datatype rules for parsing your data. See Shape Your Data.
- Set Dataset rules for organizing your data. See Organize Your Data.
- Configure your Splunk Forwarder to send data to the Source endpoint.