Ingest JSON Events via TCP into Cribl Search
Collect JSON-formatted events via TCP, and automatically parse and store them in Cribl Search for fast analysis.
Before You Begin
You’ll need:
- Cribl.Cloud Enterprise. For details, see Pricing.
- Search Admin Permission, or higher. Learn who can do what at Cribl Search Permissions.
- A TCP client that can send newline-delimited JSON to Cribl Search.
You don’t need Cribl Stream, Edge, or Lake. (Looking for the TCP JSON Source in Cribl Stream instead?)
1. Add a Lakehouse Engine
See Lakehouse Engines in Cribl Search.
2. Set Up Your Search Datasets
Create the Search Datasets you’ll route events into, and set their retention. See Create Search Datasets.
3. Add a TCP JSON Source in Cribl Search
On the Cribl.Cloud top bar, select Products > Search > Data > Add Source > TCP JSON.
Describe Your Source
Under General, configure:
| Setting | Description | Example |
|---|---|---|
| ID | Source ID, unique across your Cribl.Cloud Workspace. Use letters, numbers, underscores, hyphens. | tcp_json_prod |
| Description | Describe your Source so others know what it’s for. | Ingests TCP JSON from prod servers |
| Address | Hostname (FQDN) that your TCP client connects to. You’ll need this to set up your TCP client. | search.main.foo-bar-abc123.cribl.cloud |
| Port | Network port to listen on. Keep the default unless it conflicts with another service. | 10070 (default) |
Set Up Authentication
Use authentication to make sure only authorized TCP clients can send data to your Cribl Search Source.
Under Authentication, set the Authentication method to:
- Manual for quick setup or testing.
- Secret to securely manage credentials in production environments. (See Create and Manage Secrets in Cribl Stream.)
| Setting | Description | Example |
|---|---|---|
Auth token | Shared secret that your TCP client will need to provide in the authToken header field.Enter a token text, or select Generate for a random one. Leave blank to allow unauthorized access. | 420 |
| Setting | Description | Example |
|---|---|---|
Auth token (text secret) | Reference to a stored secret containing the token. You’ll need this to set up your TCP client. Select a secret or Create a new one. (See Create and Manage Secrets in Cribl Stream). | sec_tcp_token |
Set Up Encryption
Use TLS encryption to protect your data in transit between upstream TCP clients and your Cribl Search Source.
Under Encrypt, select Enabled, and set the Minimum TLS version you want to accept.
| TLS Version | When to Use |
|---|---|
| 1.3 | Recommended. Provides the best security. |
| 1.2 | Use only when connecting to older systems that don’t support TLS 1.3. |
| Older than 1.2 | Avoid if possible. These versions are no longer considered secure. |
Select Save to create the Source.
4. Set Up Datatyping
Configure Datatype rules to parse, filter, and normalize your data into structured fields. We call this process Datatyping.
On the Cribl.Cloud top bar, select Products > Search > Data > Datatyping (auto). Here, you can:
- Use Auto-Datatyping to parse your data automatically.
- Check for uncategorized data that didn’t match any Datatype rules.
- Handle the uncategorized data by adding custom Datatype rules.
See also:
- Datatypes in Cribl Search
- v2 Datatypes in Cribl Search
- List of Stock v2 Datatypes
- Add a Custom v2 Datatype
5. Set Up Dataset Rules
Configure Dataset rules to route the parsed events into your Search Datasets.
On the Cribl.Cloud top bar, select Products > Search > Data > Datasets: Organize Your Data, and see Organize Data with Dataset Rules for details.
6. Set Up Your TCP Client
Configure your upstream TCP client to send newline-delimited JSON to your Cribl Search Source.
You’ll need these details from your Source configuration:
| Name | Example |
|---|---|
| Address | search.main.foo-bar-abc123.cribl.cloud |
| Port | 10070 (default) |
| Auth Token | 420 |
To find these for an existing Source: On the Cribl.Cloud top bar, select Products > Search > Data > Sources, and select your Source.
Example (TCP JSON > Cribl Search)
Create a test.json file with the following content. Replace the example address
(search.main.foo-bar-abc123.cribl.cloud), auth token, and port (if you changed the default 10070) with your Source
values.
echo '{"authToken":"420"}
{"_raw":"this is a sample event", "host":"myHost", "source":"mySource", "fieldA":"valueA"}
{"_raw":"this is another sample event", "host":"myOtherHost", "source":"myOtherSource", "fieldA":"valueA"}' > test.json
cat test.json | ncat --ssl --ssl-verify search.main.foo-bar-abc123.cribl.cloud 100707. Start Sending Data
Start sending events from your TCP client, and verify that they’re successfully flowing into Cribl Search.
On the Cribl.Cloud top bar, select Products > Search > Data > Live Data.
Here, check for your TCP JSON Source. For details, see See Live Data Flow.
Next Steps
Now that your data is in Cribl Search, you can start using it. For example: