Configuration Files
Configuration files store the configuration changes locally on your system. They reflect the changes you make to configuration settings in the UI.
You can preview how settings are translated into configuration changes in the Git Changes modal whenever you commit your changes via the Version Control option.
Typically, you do not modify configuration files manually. If you need to edit the configuration outside the UI, Cribl recommends using the API. However, if your particular use case requires it, in an on-prem deployment the files are open for editing.
Configuration File Locations
In an on-prem deployment, configuration files are stored in the $CRIBL_HOME/local/cribl directory
(where $CRIBL_HOME is your installation directory, for example, /opt/cribl/).
Configuration for specific Worker Groups or Fleets is located $CRIBL_HOME/groups/<group-or-fleet-name>/local/cribl.
You can view the default configurations by taking a look in the default directory, instead of local.
Pack configuration resides within a separate subdirectory for each Pack:
$CRIBL_HOME/default/<pack_name>.
| Configuration file/folder | Description |
|---|---|
ai.yml | Cribl AI settings. |
app-limits.yml | Internal limit configuration. |
appscope.yml | Deprecated legacy instrumentation configuration file. |
breakers-search.yml | Cribl Search Event Breaker settings. |
breakers.yml | Event Breakers configuration. |
certificates.yml | TLS/SSL certificates. |
collectors | Directory storing individual Collector configurations. |
conditions | Directory storing configurations for Notification conditions. |
cribl.yml | General system configuration. |
dataset-providers.yml | Cribl Search Dataset Providers. |
datasets.yml | Cribl Search Datasets. |
email-templates.yml | Templates for Email Notifications. |
executors | Executor job configurations. |
fleet-mappings.yml | Mapping rulesets for Edge Nodes. |
functions | Directory storing individual Function configurations. |
grok-patterns | Directory storing individual Grok Pattern configurations. |
groups.yml | Worker Group and Edge Fleet settings. |
inputs.yml | Sources configuration. |
instance.yml | Configuration for the current instance. |
iometrics.yml | Metrics levels for individual Sources and Destinations in Cribl Stream. |
ipfix-information-elements.yml | Predefined IPFIX fields for handling and decoding IPFIX fields from the Cribl Stream NetFlow & IPFIX Source. |
jobs.yml | Collector configuration. |
job-limits.yml | Parameters for Collection jobs and system tasks. |
kms.yml | KMS provider configuration. |
lake-config.yml | Configuration for Cribl Lake. |
lakes.yml | Configuration for individual Cribl Lake datasets. |
leader.yml | Secondary Leader configuration. |
licenses.yml | Licenses. |
limits.yml | Limit configuration. |
logger.yml | Logging levels and redactions. |
mappings.yml | Mapping rulesets for Stream Workers. |
messages.yml | Messages displayed in the UI’s Messages fly-out. |
mdt-devices.yml | Configuration for MDT (Model Driven Telemetry) devices. |
notifications.yml | Notifications and Notification targets. |
notification-templates.yml | Templates for email Notifications. |
outpost.yml | Configuration for Cribl Outpost. |
outputs.yml | Destinations configuration. |
parquet-schemas.yml | Parquet Schemas. |
parquet-schemas | Directory storing individual Parquet Schema configurations. |
parsers.yml | Parsers Library. |
perms.yml | Permission configuration. |
persistent-queue.yml | Persistent queue configuration. |
pipelines | Directory storing individual Pipeline configurations. |
policies.yml | RBAC Policies. |
protobuf-libraries.yml | Configuration for Protobuf libraries. |
redis-cache-limits.yml | Redis cache settings. |
redis-limits.yml | Redis connection settings. |
regexes.yml | Regex Library. |
roles.yml | RBAC Roles. |
route.yml | Route configuration. Located in local/cribl/pipelines/routes.yml. |
samples.yml | Metadata about about stored sample data files. |
saved-queries.yml | Saved searches in Cribl Search. |
schemas.yml | Schema Library. |
schemas | Directory storing individual schema configurations. |
scripts.yml | Scripts configured at Settings > Global > Scripts. |
sds-rules.yml | Cribl Guard rules. |
sds-rulesets.yml | Cribl Guard rulesets. |
search-limits.yml | Limit configuration for Cribl Search. |
search-usage-groups | Cribl Search Usage Group configuration. |
secrets.yml | Secrets. |
scope_protocol.yml | Deprecated legacy instrumentation configuration for protocol detection. |
scope.yml | Deprecated legacy instrumentation configuration. |
search-limits.yml | Cribl Search limits. |
search-usage-groups.yml | Cribl Search Usage Groups. |
service.yml | Service processes. |
vars.yml | Variables Library. |
Configurations and Restart
You can Restart and Reload via the UI. In the sidebar, select Settings, then Global. Under System > Controls select Reload or Restart.
In a distributed environment, Worker Nodes poll the Leader for configuration changes. Many of these changes require a quick reload to read the new configuration, while others require a restart of the Cribl processes on the Worker Node.
Upon restarts, be aware of the following:
- Syslog data still being received over UDP might be dropped.
- Worker Nodes will temporarily disappear from the Leader’s Workers or Edge Nodes page.
- Aggregation and suppression operations will start over.
- Worker Nodes’ local copies of Monitoring metrics will be dropped.
- Cribl Stream will drop any events still in RAM that were bound for persistent queues. (However, PQ data already written to disk will persist through the restart.)
Changes that require reloads include configuration changes to:
- Functions
- Pipelines
- Packs
- Routes
- Lookups
- Parquet schemas
- Global variables
- Group Settings > Limits
- Group Settings > Logging > Levels
Changes that require restarts include configuration changes to:
- Distributed mode (Leader versus Managed Worker Node or Single instance)
- Worker Group assignment
- Event Breakers
- QuickConnect configs
- Sources
- Destinations
- Group Settings > General Settings > TLS
- Group Settings > General Settings > Advanced
- Group Settings > Worker Processes > Process count and Memory
How Configuration Changes Apply
In a Distributed deployment, how a change applies across each Worker Node in a Worker Group depends on the type of change:
- Sources and Destinations: Cribl Stream restarts Worker Processes on each Worker Node to apply the change.
- In Cribl Stream, a Worker Node can run multiple Worker Processes, so they restart in a rolling fashion and the Node keeps processing data during the change. For the rolling restart mechanics, see Worker Process Rolling Restart in the Cribl Stream docs.
- In Cribl Edge, each Edge Node runs a single Worker Process, so it simply restarts that process.
- Routes, Pipelines, and Lookups or other knowledge objects: Cribl Stream reloads the configuration without restarting Worker Processes, so data flow continues uninterrupted.
- Worker Group settings that involve the API Process (such as API, TLS, Proxy, and Security settings): Cribl Stream restarts all Worker Processes at once rather than in a rolling fashion. All Worker Processes stop before the API Process restarts, and then the API Process starts them again.
Some general guidelines to keep in mind:
- Most UI interactions, such as changing the order of Functions in a Pipeline or changing the order of Routes, do not require restarts.
- Some configuration changes in the Settings UI do require restarts. These prompt you for confirmation before restarting.
- All direct edits of configuration files in
$CRIBL_HOME/local/require restarts. - Worker Nodes might temporarily disappear from the Leader’s Workers or Edge Nodes tab while restarting.
- A
git commitcommand on the Leader Node’s host (using a freestandinggitclient not embedded in Cribl’s CLI or UI) requires either a reload or restart. - When using the Cribl App for Splunk, changes to Splunk configuration files might or might not require restarts. Please check current Splunk docs.