On This Page

Home / Stream/ Sources/OpenTelemetry (OTel)

OpenTelemetry (OTel)

Cribl Stream supports receiving trace and metric events from OTLP-compliant senders. (Cribl plans to add support for log events as more components of the OpenTelemetry protocol’s logs support graduate to stable status.)

Type: Push | TLS Support: YES | Event Breaker Support: No

In versions 4.0.3 and later, Cribl Stream supports receiving compressed inbound data (with DEFLATE or gzip compression), as well as the uncompressed data that this Source has always supported.

Supported and Unsupported Input Data

This Source currently supports receiving data over the gRPC protocol.

The OpenTelemetry Project’s Data Sources documentation provides these hierarchical definitions of Cribl Stream’s supported trace and metric event types:

  • A trace tracks the progression of a single request.
  • Each trace is a tree of spans.
  • A span object represents the work being done by the individual services, or components, involved in a request as that request flows through a system.
  • A metric provides aggreggated statistical information.
  • A metric contains individual measurements called data points.

Configuring an OTel Source

From the top nav, click Manage, then select a Worker Group to configure. Next, you have two options:

To configure via the graphical QuickConnect UI, click Routing > QuickConnect (Stream) or Collect (Edge). Next, click + Add Source at left. From the resulting drawer’s tiles, select [Push > ] OpenTelemetry. Next, click either + Add Destination or (if displayed) Select Existing. The resulting drawer will provide the options below.

Or, to configure via the Routing UI, click Data > Sources (Stream) or More > Sources (Edge). From the resulting page’s tiles or left nav, select [Push > ] OpenTelemetry. Next, click New Source to open a New Source modal that provides the options below.

The sections described below are spread across several tabs. Click the tab links at left, or the Next and Prev buttons, to navigate among tabs. Click Save when you’ve configured your Source.

General Settings

Input ID: Unique ID for this Source. E.g., OTel042.

Address: Enter the hostname/IP to listen on. Defaults to 0.0.0.0 (all addresses, IPv4 format). IPv6 addresses must be enclosed in square brackets.

Port: By default, OTel applications send output to port 4317. Do not change this setting unless you want Cribl Stream to collect data from an OTel application that is using a different port.

Optional Settings

Tags: Optionally, add tags that you can use for filtering and grouping in Cribl Stream. Use a tab or hard return between (arbitrary) tag names.

Authentication

Select one of the following options for authentication:

  • None: Don’t use authentication.

  • Auth token: Enter the bearer token that must be included in the authorization header.

  • Auth token (text secret): Provide an HTTP token referenced by a secret. Select a stored text secret in the resulting drop-down, or click Create to configure a new secret.

  • Basic: Displays Username and Password fields for you to enter HTTP Basic authentication credentials.

  • Basic (credentials secret): Provide username and password credentials referenced by a secret. Select a stored text secret in the resulting Credentials secret drop-down, or click Create to configure a new secret.

TLS Settings (Server Side)

In OTel terminology, your Cribl Stream OTel Source will receive OTel data from a Collector running on a local agent. In Cribl Stream’s terminology, the Collector is the client and the OTel Source is the server. This is why this Source’s UI identifies the Source’s TLS Settings as “server-side.”

For more about this client-server relationship, see the TLS Configuration Example below.

Enabled defaults to No. When toggled to Yes:

Certificate name: Name of the predefined certificate.

Private key path: Server path containing the private key (in PEM format) to use. Path can reference $ENV_VARS.

Certificate path: Server path containing certificates (in PEM format) to use. Path can reference $ENV_VARS.

CA certificate path: Server path containing CA certificates (in PEM format) to use. Path can reference $ENV_VARS.

Authenticate client (mutual auth): Require clients to present their certificates. Used to perform mutual authentication using SSL certs. Defaults to No. When toggled to Yes:

  • Validate client certs: Reject certificates that are not authorized by a CA in the CA certificate path, or by another trusted CA (e.g., the system’s CA). Defaults to No.

Persistent Queue Settings

In this section, you can optionally specify persistent queue storage, using the following controls. This will buffer and preserve incoming events when a downstream Destination is down, or exhibiting backpressure.

On Cribl-managed Cribl.Cloud Workers (with an Enterprise plan), this tab exposes only the Enable Persistent Queue toggle. If enabled, PQ is automatically configured in Always On mode, with a maximum queue size of 1 GB disk space allocated per Worker Process.

Enable Persistent Queue: Defaults to No. When toggled to Yes:

Mode: Select a condition for engaging persistent queues.

  • Smart: This default option will engage PQ only when the Source detects backpressure from the Cribl Stream data processing engine.
  • Always On: This option will always write events into the persistent queue, before forwarding them to the Cribl Stream data processing engine.

Max buffer size: The maximum number of events to hold in memory before reporting backpressure to the Source. Defaults to 1000.

Commit frequency: The number of events to send downstream before committing that Stream has read them. Defaults to 42.

Max file size: The maximum data volume to store in each queue file before closing it and (optionally) applying the configured Compression. Enter a numeral with units of KB, MB, etc. If not specified, Cribl Stream applies the default 1 MB.

Max queue size: The maximum amount of disk space that the queue is allowed to consume, on each Worker Process. Once this limit is reached, Cribl Stream will stop queueing data, and will apply the Queue‑full behavior. Enter a numeral with units of KB, MB, etc. If not specified, the implicit 0 default will enable Cribl Stream to fill all available disk space on the volume.

Queue file path: The location for the persistent queue files. Defaults to $CRIBL_HOME/state/queues. To this field’s specified path, Cribl Stream will append /<worker-id>/inputs/<input-id>.

Compression: Optional codec to compress the persisted data after a file is closed. Defaults to None; Gzip is also available.

Setting the PQ Mode to Always On can degrade throughput performance. Select this mode only if you want guaranteed data durability. As a trade-off, you might need to either accept slower throughput, or provision more machines/faster disks.

Processing Settings

Fields

In this section, you can add Fields to each event, using Eval-like functionality.

Name: Field name.

Value: JavaScript expression to compute field’s value, enclosed in quotes or backticks. (Can evaluate to a constant.)

Pre-Processing

In this section’s Pipeline drop-down list, you can select a single existing Pipeline to process data from this input before the data is sent through the Routes.

Advanced Settings

Max active connections: Maximum number of active connections allowed per Worker Process. Defaults to 1000. Set a lower value if connection storms are causing the Source to hang. Set 0 for unlimited connections.

The Extract spans and Extract metrics settings are unique to OTel. Their default No settings allow Cribl Stream to essentially function as a bump on the wire, generating a single event for each incoming OTel event. This can be useful when, for example, you want to send whole OTel events to persistent storage.

Extract spans: Toggle to Yes if you want Cribl Stream to generate an individual event for each span. (Recall that traces contain multiple spans.)

Extract metrics: Toggle to Yes if you want Cribl Stream to generate an individual event for each data point. (Recall that OTel metric events contain multiple data points.)

Environment: Optionally, specify a single Git branch on which to enable this configuration. If this field is empty, the config will be enabled everywhere.

Connected Destinations

Select Send to Routes to enable conditional routing, filtering, and cloning of this Source’s data via the Routing table.

Select QuickConnect to send this Source’s data to one or more Destinations via independent, direct connections.

TLS Configuration Example

Here’s a simple example for using TLS to secure the communication between an OpenTelemetry client and your Cribl Stream OTel Source.

  1. Choose or generate a certificate and key. If you need to generate a certificate/key pair, you can adapt the following OpenSSL command:

    openssl req -nodes -new -x509 -newkey rsa:2048 -keyout myKey.pem -out myCert.pem -days 420

    This example command will generate both a self-signed cert named myCert.pem (certified for 420 days), and an unencrypted, 2048-bit RSA private key named myKey.pem.

  2. Configure the TLS Settings (Server Side). Toggle Enabled to Yes, then:

    • Enter the appropriate values in the Certificate name, Private key path, and Certificate path fields. A Create link is available if you need a new certificate, and Certificate name also works as a drop-down to allow you to choose from any existing certificates.
    • Leave the CA certificate path field empty.
    • Leave Authenticate client (mutual auth) toggled to No.

  3. Configure the OTel client. See the OTel Collector TLS Configuration Settings README for an explanation of the relevant settings. The config file might be named otel-config.yaml, otel-local-config.yaml, or just config.yaml, depending on your environment. This YAML file will have an exporters section, which you must edit to include an otlp sub-section, as follows:

    • Add an endpoint whose value is the IP address of either (a) the Cribl Stream Worker Node on which your OTel Source is running, or (b) the IP address of the load balancer for the relevant Worker Group. In the example snippet below, this is the <Cribl_IP_address>. Specify the port on which Cribl Stream’s OTel Source is listening; port 4317 is the default.
    • Set tls > insecure to false. This matches your setting TLS Settings (Server Side) > Enabled to Yes on the Cribl Stream OTel Source.
    • Set tls > insecure_skip_verify to true. This matches your setting TLS Settings (Server Side) > Authenticate client (mutual auth) to No on the Cribl Stream OTel Source. Setting insecure_skip_verify to true is also required if you’re using a self-signed certificate.

    Here’s how the section you edited should look:

    exporters:
  otlp:
    endpoint: "https://<Cribl_IP_address>:4317"
    tls:
      insecure: false
      insecure_skip_verify: true