Home / Stream/ Reference/Configuration Files

Configuration Files

Configuration files store the configuration changes locally on your system. They reflect the changes you make to configuration settings in the UI.

You can preview how settings are translated into configuration changes in the Git Changes modal whenever you commit your changes via the Version Control option.

Modifications to configuration files presented as Git changes
Git Changes screen showing Git diff with changes to configuration files.

Typically, you do not modify configuration files manually. If you need to edit the configuration outside the UI, Cribl recommends using the API. However, if your particular use case requires it, in an on-prem deployment the files are open for editing.

Configuration File Locations

In an on-prem deployment, configuration files are stored in the $CRIBL_HOME/local/cribl directory (where $CRIBL_HOME is your installation directory, for example, /opt/cribl/). Configuration for specific Worker Groups or Fleets is located $CRIBL_HOME/groups/<group-or-fleet-name>/local/cribl.

You can view the default configurations by taking a look in the default directory, instead of local.

Pack configuration resides within a separate subdirectory for each Pack: $CRIBL_HOME/default/<pack_name>.

Configuration file/folderDescription
ai.ymlCribl Copilot settings.
app-limits.ymlInternal limit configuration.
appscope.ymlAppscope configuration.
breakers-search.ymlCribl Search Event Breaker settings.
breakers.ymlEvent Breakers configuration.
certificates.ymlTLS/SSL certificates.
collectorsDirectory storing individual Collector configurations.
conditionsDirectory storing configurations for Notification conditions.
cribl.ymlGeneral system configuration.
dataset-providers.ymlCribl Search Dataset Providers.
datasets.ymlCribl Search Datasets.
email-templates.ymlTemplates for Email Notifications.
executorsExecutor job configurations.
fleet-mappings.ymlMapping rulesets for Edge Nodes.
functionsDirectory storing individual Function configurations.
grok-patternsDirectory storing individual Grok Pattern configurations.
groups.ymlWorker Group and Edge Fleet settings.
inputs.ymlSources configuration.
instance.ymlConfiguration for the current instance.
iometrics.ymlMetrics levels for individual Sources and Destinations in Cribl Stream.
ipfix-information-elements.ymlPredefined IPFIX fields for handling and decoding IPFIX fields from the NetFlow & IPFIX Source.
jobs.ymlCollector configuration.
job-limits.ymlParameters for Collection jobs and system tasks.
kms.ymlKMS provider configuration.
lake-config.ymlConfiguration for Cribl Lake.
lakes.ymlConfiguration for individual Cribl Lake datasets.
leader.ymlSecondary Leader configuration.
licenses.ymlLicenses.
limits.ymlLimit configuration.
logger.ymlLogging levels and redactions.
mappings.ymlMapping rulesets for Stream Workers.
messages.ymlMessages displayed in the UI’s Messages fly-out.
mdt-devices.ymlConfiguration for MDT (Model Driven Telemetry) devices.
notifications.ymlNotifications and Notification targets.
notification-templates.ymlTemplates for email Notifications.
outputs.ymlDestinations configuration.
parquet-schemas.ymlParquet Schemas.
parquet-schemasDirectory storing individual Parquet Schema configurations.
parsers.ymlParsers Library.
perms.ymlPermission configuration.
persistent-queue.ymlPersistent queue configuration.
pipelinesDirectory storing individual Pipeline configurations.
policies.ymlRBAC Policies.
protobuf-libraries.ymlConfiguration for Protobuf libraries.
redis-cache-limits.ymlRedis cache settings.
redis-limits.ymlRedis connection settings.
regexes.ymlRegex Library.
roles.ymlRBAC Roles.
route.ymlRoute configuration. Located in local/cribl/pipelines/routes.yml.
samples.ymlMetadata about about stored sample data files.
saved-queries.ymlSaved searches in Cribl Search.
schemas.ymlSchema Library.
schemasDirectory storing individual schema configurations.
scripts.ymlScripts configured at Settings > Global > Scripts.
secrets.ymlSecrets.
scope_protocol.ymlAppscope configuration for protocol detection.
scope.ymlAppscope configuration.
search-limits.ymlCribl Search limits.
search-usage-groups.ymlCribl Search Usage Groups.
service.ymlService processes.
vars.ymlVariables Library.

Configurations and Restart

You can Restart and Reload via the UI. In the sidebar, select Settings, then Global. Under System > Controls select Reload or Restart.

In a distributed environment, Worker Nodes poll the Leader for configuration changes. Many of these changes require a quick reload to read the new configuration, while others require a restart of the Cribl processes on the Worker Node.

Upon restarts, be aware of the following:

  • Syslog data still being received over UDP might be dropped.
  • Worker Nodes will temporarily disappear from the Leader’s Workers or Edge Nodes page.
  • Aggregation and suppression operations will start over.
  • Worker Nodes’ local copies of Monitoring metrics will be dropped.
  • Cribl Stream will drop any events still in RAM that were bound for persistent queues. (However, PQ data already written to disk will persist through the restart.)

Changes that require reloads include configuration changes to:

  • Functions
  • Pipelines
  • Packs
  • Routes
  • Lookups
  • Parquet schemas
  • Global variables
  • Group Settings > Limits
  • Group Settings > Logging > Levels

Changes that require restarts include configuration changes to:

  • Distributed mode (Leader versus Managed Worker Node or Single instance)
  • Worker Group assignment
  • Event Breakers
  • QuickConnect configs
  • Sources
  • Destinations
  • Group Settings > General Settings > TLS
  • Group Settings > General Settings > Advanced
  • Group Settings > Worker Processes > Process count and Memory

Some general guidelines to keep in mind:

  • Configuration changes generated by most UI interactions – for instance, changing the order of Functions in a Pipeline, or changing the order of Routes – do not require restarts.
  • Some configuration changes in the Settings UI do require restarts. These will prompt you for confirmation before restarting.
  • All direct edits of configuration files in $CRIBL_HOME/local/ will require restarts.
  • Worker Nodes might temporarily disappear from the Leader’s Workers or Edge Nodes tab while restarting.
  • A git commit command on the Leader Node’s host (using a freestanding git client not embedded in Cribl’s CLI or UI) will require either a reload or restart.
  • When using the Cribl App for Splunk, changes to Splunk configuration files might or might not require restarts. Please check current Splunk docs.