Add a TCP (Raw) Source for Cribl Search
Collect data sent over TCP connections in any format so you can search it fast with Cribl Search.
What’s a TCP (Raw) Source in Cribl Search?
A Cribl Search data source that receives data over TCP from any TCP client in any format and stores it in a Lakehouse engine for fast access. No parsing or formatting is applied.
Looking for the TCP (Raw) Source in Cribl Stream? See TCP (Raw) Source in Cribl Stream.
What You Need First
To set up any Cribl Search Source, you need:
- Cribl.Cloud Enterprise. For details, see Pricing.
- A lakehouse engine. Get one at lakehouse engines.
- Search Admin Permission, or higher. Learn who can do what at Cribl Search Permissions.
Add a TCP (Raw) Source for Cribl Search
On the Cribl.Cloud top bar, select Products > Search > Data > Add Source > TCP (Raw).
1. Describe Your Source
Under General, give your Source an ID and Description, so you and other Search Admins know what the Source is for and if it’s safe to modify.
The ID must be unique across your Workspace and can contain letters, numbers, underscores, and hyphens. Cribl Search
prefixes it with in_ on save (for example, tcp_raw becomes in_tcp_raw).
2. Note the Source Endpoint
Under General, note down the Address and Port. You’ll need them to configure your TCP client to send data here.
Default port: 10060. Keep it unless it conflicts with another service.
3. Set Up Encryption
TLS encryption protects your data in transit between upstream TCP clients and this Source.
Under Encrypt, select Enabled, and set the Minimum TLS version you want to accept.
| TLS version | When to use |
|---|---|
| 1.3 | Recommended. Provides the best security. |
| 1.2 | Use only when connecting to older systems that don’t support TLS 1.3. |
| Older than 1.2 | Avoid if possible. These versions are no longer considered secure. |
4. Set Up the Header
Turn Enable header on to require authentication and optionally tag events with fields (for example, source or
environment). s The header includes an authToken and a fields object. The fields are added to every event and make
parsing your events easier.
Header format (must be followed by a newline):
{ "authToken": "myToken", "fields": { "field1": "value1", "field2": "value2" } }5. Set Up Authentication
If you turn on Enable header, you must set up authentication.
Under Authentication, select the Authentication method you want to use: Manual or Secret.
Manual
In Auth token, enter an auth token, or select Generate to automatically generate one. If empty, unauthorized access is permitted.
Secret
In Auth token (text secret), select a stored text secret that holds the token, or choose Create to add a new one (see Create and Manage Secrets).
Next Steps
Confirm with Save. Now, you’re ready to:
- Set Datatype rules for parsing your data. See Shape Your Data.
- Set Dataset rules for organizing your data. See Organize Your Data.
- Configure your TCP client to send data to the Source endpoint.