Cribl LogStream API
About Cribl LogStream API
TrackMe provides a native integration with Cribl LogStream, allowing various SPL native commands to be used to interact with Cribl LogStream.
Overview
The TA-trackme-cribl Splunk Add-on provides seamless API integration between Splunk and Cribl LogStream, enabling you to interact with Cribl’s API directly from Splunk using native SPL commands. This integration supports both on-premise Cribl deployments and Cribl Cloud environments.
Key Features
Multi-Environment Support: Configure and manage connections to both on-premise Cribl deployments and Cribl Cloud
Native SPL Integration: Access Cribl API through the built-in cribl command in Splunk
Real-Time Metrics: Retrieve and chart real-time metrics from Cribl for complex operations like pipeline monitoring
Role-Based Access Control: Implement least-privilege access with granular role permissions
Predefined Functions: Built-in functions for common operations like retrieving pipeline metrics, worker information, and system statistics
SSL Certificate Support: Configure custom SSL certificates for secure connections
Connectivity Testing: Built-in tools to test API connectivity before account configuration
Requirements
- Application Dependencies
No dependencies on other Splunk applications required.
- Network Requirements
The Splunk Search Head must have network connectivity to the Cribl API endpoints.
- Authentication
Supports both on-premise (username/password) and Cloud (client_id/client_secret) authentication methods.
Configuration
Account Configuration
When creating a Cribl account, you’ll need to configure the following parameters:
cribl_deployment_type: Specify whether it’s a Cloud or on-premise deployment
cribl_cloud_organization_id: Organization ID for Cribl Cloud deployments
cribl_onprem_leader_url: Leader URL for on-premise deployments (format: https://<hostname>:<port>)
cribl_client_id: Username for on-premise or client_id for Cloud
cribl_client_secret: Password for on-premise or client_secret for Cloud
rbac_roles: Comma-separated list of Splunk roles required for access
cribl_ssl_verify: Enable/disable SSL verification (mandatory for Cloud)
cribl_ssl_certificate_path: Path to PEM file for custom certificates
The application automatically tests connectivity during account creation and will refuse creation if authentication fails.
Access Control
- Capabilities & Built-in Roles
Capability: criblapi
Built-in role: cribl_api
- Role-Based Access Control
Configure access on a per-account basis using the rbac_roles parameter. Default roles include: admin, sc_admin, trackme_user, trackme_power, trackme_admin
Usage Examples
Testing Connectivity
Test the Cribl API connection:
| cribl account=cribl mode=get url="/api/v1/master/groups?fields=workerCount&product=stream" run_test=True
Event Capture
Capture events by index:
| cribl account=cribl mode=post url="/api/v1/system/capture" body="{'filter': 'index.includes(\'eventgen-firewall\')', 'maxEvents': 15, 'level': 0}"
Capture events by input ID:
| cribl account=cribl mode=post url="/api/v1/system/capture" body="{'filter': '__inputId==\'splunk_hec:in_splunk_hec\'', 'maxEvents': 15, 'level': 0}"
Worker Information
Get worker count and information:
| cribl account=cribl mode=get url="/api/v1/master/groups?fields=workerCount&product=stream" | spath
Get extended worker stats:
| cribl account=cribl mode=get url="/api/v1/master/workers?filterExp=info.cribl.distMode%3D%3D%22worker%22" | spath
System Configuration
Get groups (Cribl Stream only):
| cribl account=cribl mode=get url="/api/v1/master/groups?product=stream" | spath
Get inputs:
| cribl account=cribl mode=get url="/api/v1/m/default/system/inputs" | spath
Get outputs:
| cribl account=cribl mode=get url="/api/v1/m/default/system/outputs" | spath
Get pipelines:
| cribl account=cribl mode=get url="/api/v1/m/default/pipelines" | spath
Metrics and Monitoring
Get system metrics:
| cribl account=cribl mode=post url="/api/v1/system/metrics/query" cribl_function="get_global_metrics"
Get pipeline metrics:
| cribl account=cribl mode=post url="/api/v1/system/metrics/query" cribl_function="get_pipelines_metrics"
Get destination metrics:
| cribl account=cribl mode=post url="/api/v1/system/metrics/query" cribl_function="get_destinations_metrics"
Get routes metrics:
| cribl account=cribl mode=post url="/api/v1/system/metrics/query" cribl_function="get_routes_metrics"
Troubleshooting
Logs
- Internal REST API Logs
Available at:
index=_internal sourcetype="cribl:rest_api"
- Custom Command Logs
Available at:
index=_internal sourcetype="cribl:custom_commands:cribl"
Connectivity Testing
Test connectivity before account creation:
| cribl mode=post url="/services/cribl/v1/test_cribl_connectivity" body="{'cribl_deployment_type': 'cloud', 'cribl_client_id': '<redacted_client_id>', 'cribl_client_secret': '<redacted_client_secret>'}"
Important Notes
Time Range Support: The integration automatically respects Splunk time range filters when working with metrics
API Limitations: Cribl API provides up to 3 hours of metrics with 10-second granularity, beyond which metrics are rolled up to 10-minute spans
JSON Parsing: Use spath command to extract fields from JSON API responses
Performance Testing: Add run_test=True to any command to get response time and status information
Download and Installation
- GitHub Repository
- Download Page
License and Support
- License
This application is licensed under the TrackMe EULA. See TrackMe License for details.
- Terms & Conditions
Available at TrackMe Terms & Conditions
- Support
Support information available at TrackMe Support