.. _cribl_logstream_api: Cribl LogStream API ################### .. admonition:: About Cribl LogStream API TrackMe provides a native integration with Cribl LogStream, allowing various SPL native commands to be used to interact with Cribl LogStream. Overview ======== The **TA-trackme-cribl** Splunk Add-on provides seamless API integration between Splunk and Cribl LogStream, enabling you to interact with Cribl's API directly from Splunk using native SPL commands. This integration supports both on-premise Cribl deployments and Cribl Cloud environments. Key Features ============ * **Multi-Environment Support**: Configure and manage connections to both on-premise Cribl deployments and Cribl Cloud * **Native SPL Integration**: Access Cribl API through the built-in `cribl` command in Splunk * **Real-Time Metrics**: Retrieve and chart real-time metrics from Cribl for complex operations like pipeline monitoring * **Role-Based Access Control**: Implement least-privilege access with granular role permissions * **Predefined Functions**: Built-in functions for common operations like retrieving pipeline metrics, worker information, and system statistics * **SSL Certificate Support**: Configure custom SSL certificates for secure connections * **Connectivity Testing**: Built-in tools to test API connectivity before account configuration Requirements ============ **Application Dependencies** No dependencies on other Splunk applications required. **Network Requirements** The Splunk Search Head must have network connectivity to the Cribl API endpoints. **Authentication** Supports both on-premise (username/password) and Cloud (client_id/client_secret) authentication methods. Configuration ============= Account Configuration --------------------- When creating a Cribl account, you'll need to configure the following parameters: * **cribl_deployment_type**: Specify whether it's a Cloud or on-premise deployment * **cribl_cloud_organization_id**: Organization ID for Cribl Cloud deployments * **cribl_onprem_leader_url**: Leader URL for on-premise deployments (format: https://:) * **cribl_client_id**: Username for on-premise or client_id for Cloud * **cribl_client_secret**: Password for on-premise or client_secret for Cloud * **rbac_roles**: Comma-separated list of Splunk roles required for access * **cribl_ssl_verify**: Enable/disable SSL verification (mandatory for Cloud) * **cribl_ssl_certificate_path**: Path to PEM file for custom certificates The application automatically tests connectivity during account creation and will refuse creation if authentication fails. Access Control ============== **Capabilities & Built-in Roles** * Capability: `criblapi` * Built-in role: `cribl_api` **Role-Based Access Control** Configure access on a per-account basis using the `rbac_roles` parameter. Default roles include: admin, sc_admin, trackme_user, trackme_power, trackme_admin Usage Examples ============== Testing Connectivity -------------------- Test the Cribl API connection: .. code-block:: | cribl account=cribl mode=get url="/api/v1/master/groups?fields=workerCount&product=stream" run_test=True Event Capture ------------- Capture events by index: .. code-block:: | cribl account=cribl mode=post url="/api/v1/system/capture" body="{'filter': 'index.includes(\'eventgen-firewall\')', 'maxEvents': 15, 'level': 0}" Capture events by input ID: .. code-block:: | cribl account=cribl mode=post url="/api/v1/system/capture" body="{'filter': '__inputId==\'splunk_hec:in_splunk_hec\'', 'maxEvents': 15, 'level': 0}" Worker Information ------------------ Get worker count and information: .. code-block:: | cribl account=cribl mode=get url="/api/v1/master/groups?fields=workerCount&product=stream" | spath Get extended worker stats: .. code-block:: | cribl account=cribl mode=get url="/api/v1/master/workers?filterExp=info.cribl.distMode%3D%3D%22worker%22" | spath System Configuration -------------------- Get groups (Cribl Stream only): .. code-block:: | cribl account=cribl mode=get url="/api/v1/master/groups?product=stream" | spath Get inputs: .. code-block:: | cribl account=cribl mode=get url="/api/v1/m/default/system/inputs" | spath Get outputs: .. code-block:: | cribl account=cribl mode=get url="/api/v1/m/default/system/outputs" | spath Get pipelines: .. code-block:: | cribl account=cribl mode=get url="/api/v1/m/default/pipelines" | spath Metrics and Monitoring ---------------------- Get system metrics: .. code-block:: | cribl account=cribl mode=post url="/api/v1/system/metrics/query" cribl_function="get_global_metrics" Get pipeline metrics: .. code-block:: | cribl account=cribl mode=post url="/api/v1/system/metrics/query" cribl_function="get_pipelines_metrics" Get destination metrics: .. code-block:: | cribl account=cribl mode=post url="/api/v1/system/metrics/query" cribl_function="get_destinations_metrics" Get routes metrics: .. code-block:: | cribl account=cribl mode=post url="/api/v1/system/metrics/query" cribl_function="get_routes_metrics" Troubleshooting =============== Logs ---- **Internal REST API Logs** Available at: ``index=_internal sourcetype="cribl:rest_api"`` **Custom Command Logs** Available at: ``index=_internal sourcetype="cribl:custom_commands:cribl"`` Connectivity Testing -------------------- Test connectivity before account creation: .. code-block:: | cribl mode=post url="/services/cribl/v1/test_cribl_connectivity" body="{'cribl_deployment_type': 'cloud', 'cribl_client_id': '', 'cribl_client_secret': ''}" Important Notes =============== * **Time Range Support**: The integration automatically respects Splunk time range filters when working with metrics * **API Limitations**: Cribl API provides up to 3 hours of metrics with 10-second granularity, beyond which metrics are rolled up to 10-minute spans * **JSON Parsing**: Use `spath` command to extract fields from JSON API responses * **Performance Testing**: Add `run_test=True` to any command to get response time and status information Download and Installation ========================= **GitHub Repository** `TA-trackme-cribl `_ **Download Page** `TrackMe Solutions Downloads `_ License and Support =================== **License** This application is licensed under the TrackMe EULA. See `TrackMe License `_ for details. **Terms & Conditions** Available at `TrackMe Terms & Conditions `_ **Support** Support information available at `TrackMe Support `_