Cribl - Docs

Getting started with Cribl LogStream

Questions? We'd love to help you! Meet us in #cribl (sign up)

Changelog    Guides


Cribl supports receiving of data over TCP in JSON format.

Configuring Cribl to receive TCP JSON data.

While on Sources screen, select TCP JSON from the vertical menu, then click Add New:

  • Input Id: Enter a unique name to identify this TCP JSON source definition.
  • Host: Enter hostname/IP to listen for TCP JSON data. E.g. localhost or
  • Port: Enter port number.

TLS Settings (server side)

  • Disabled defaults to Yes. When toggled to No:
    • Private Key Path: Path on server where to find the private key to use in PEM format. Path can reference $ENV_VARS.
    • Certificate Path : Path on server where to find certificates to use in PEM format. Path can reference $ENV_VARS.
    • CA Certificate Path : Path on server where to find CA certificates to use in PEM format. Path can reference $ENV_VARS.
    • Authenticate Client (mutual auth): Require clients to present their certificates. Used to perform mutual authentication using SSL certs. Defaults to No.
    • Validate Client Certs: Require server to reject any connection which is not authorized with the list of supplied CAs. Defaults to No.
  • IP Whitelist Regex: Regex matching IP addresses that are allowed to establish a connection. Defaults to .* i.e. all IPs.
  • Shared secret (authToken): Shared secret to be provided by any client (in authToken header field). If empty, unauthenticated access will be permitted.

Then, click Save


At the time of this writing, TCP JSON events are expected in new line delimited JSON format:

  1. A header line. Can be empty. E.g. {}. If authToken is enabled (see above) it should be included here as a field called authToken. In addition, if events contain common fields they can be included here under fields. In the example below region and AZ will be automatically added to all events.
  2. A JSON event/record per line.
{"authToken":"myToken42", "fields": {"region": "us-east-1", "AZ":"az1"}}

{"_raw":"this is a sample event ", "host":"myHost", "source":"mySource", "fieldA":"valueA", "fieldB":"valueB"}
{"host":"myOtherHost", "source":"myOtherSource", "_raw": "{\"message\":\"Something informative happened\", \"severity\":\"INFO\"}"}

Note: if a TCP JSON source is routed to a Splunk destination, fields within the JSON payload are mapped to Splunk fields. Fields that do not have corresponding (native) Splunk fields become index-time fields. For example, let's assume we have a TCP JSON event as below:

{"_time":1541280341, "host":"myHost", "source":"mySource", "_raw":"this is a sample event ", "fieldA":"valueA"}

_time, host and source become their corresponding fields in Splunk. The value of _raw becomes the actual body of the event and fieldA becomes an index-time field. (fieldA::valueA)


  1. Configure Cribl to listen on port 10001 for TCP JSON. Set authToken to myToken42.
  2. Create a file called test.json with the payload above.
  3. Send it over to your Cribl host: cat test.json | nc <myCriblHost> 10001