Cribl LogStream API

About Cribl LogStream API

TrackMe provides a native integration with Cribl LogStream, allowing various SPL native commands to be used to interact with Cribl LogStream.

Overview

The TA-trackme-cribl Splunk Add-on provides seamless API integration between Splunk and Cribl LogStream, enabling you to interact with Cribl’s API directly from Splunk using native SPL commands. This integration supports both on-premise Cribl deployments and Cribl Cloud environments.

Key Features

  • Multi-Environment Support: Configure and manage connections to both on-premise Cribl deployments and Cribl Cloud

  • Native SPL Integration: Access Cribl API through the built-in cribl command in Splunk

  • Real-Time Metrics: Retrieve and chart real-time metrics from Cribl for complex operations like pipeline monitoring

  • Role-Based Access Control: Implement least-privilege access with granular role permissions

  • Predefined Functions: Built-in functions for common operations like retrieving pipeline metrics, worker information, and system statistics

  • SSL Certificate Support: Configure custom SSL certificates for secure connections

  • Connectivity Testing: Built-in tools to test API connectivity before account configuration

Requirements

Application Dependencies

No dependencies on other Splunk applications required.

Network Requirements

The Splunk Search Head must have network connectivity to the Cribl API endpoints.

Authentication

Supports both on-premise (username/password) and Cloud (client_id/client_secret) authentication methods.

Configuration

Account Configuration

When creating a Cribl account, you’ll need to configure the following parameters:

  • cribl_deployment_type: Specify whether it’s a Cloud or on-premise deployment

  • cribl_cloud_organization_id: Organization ID for Cribl Cloud deployments

  • cribl_onprem_leader_url: Leader URL for on-premise deployments (format: https://<hostname>:<port>)

  • cribl_client_id: Username for on-premise or client_id for Cloud

  • cribl_client_secret: Password for on-premise or client_secret for Cloud

  • rbac_roles: Comma-separated list of Splunk roles required for access

  • cribl_ssl_verify: Enable/disable SSL verification (mandatory for Cloud)

  • cribl_ssl_certificate_path: Path to PEM file for custom certificates

The application automatically tests connectivity during account creation and will refuse creation if authentication fails.

Access Control

Capabilities & Built-in Roles

  • Capability: criblapi

  • Built-in role: cribl_api

Role-Based Access Control

Configure access on a per-account basis using the rbac_roles parameter. Default roles include: admin, sc_admin, trackme_user, trackme_power, trackme_admin

Usage Examples

Testing Connectivity

Test the Cribl API connection:

| cribl account=cribl mode=get url="/api/v1/master/groups?fields=workerCount&product=stream" run_test=True

Event Capture

Capture events by index:

| cribl account=cribl mode=post url="/api/v1/system/capture" body="{'filter': 'index.includes(\'eventgen-firewall\')', 'maxEvents': 15, 'level': 0}"

Capture events by input ID:

| cribl account=cribl mode=post url="/api/v1/system/capture" body="{'filter': '__inputId==\'splunk_hec:in_splunk_hec\'', 'maxEvents': 15, 'level': 0}"

Worker Information

Get worker count and information:

| cribl account=cribl mode=get url="/api/v1/master/groups?fields=workerCount&product=stream" | spath

Get extended worker stats:

| cribl account=cribl mode=get url="/api/v1/master/workers?filterExp=info.cribl.distMode%3D%3D%22worker%22" | spath

System Configuration

Get groups (Cribl Stream only):

| cribl account=cribl mode=get url="/api/v1/master/groups?product=stream" | spath

Get inputs:

| cribl account=cribl mode=get url="/api/v1/m/default/system/inputs" | spath

Get outputs:

| cribl account=cribl mode=get url="/api/v1/m/default/system/outputs" | spath

Get pipelines:

| cribl account=cribl mode=get url="/api/v1/m/default/pipelines" | spath

Metrics and Monitoring

Get system metrics:

| cribl account=cribl mode=post url="/api/v1/system/metrics/query" cribl_function="get_global_metrics"

Get pipeline metrics:

| cribl account=cribl mode=post url="/api/v1/system/metrics/query" cribl_function="get_pipelines_metrics"

Get destination metrics:

| cribl account=cribl mode=post url="/api/v1/system/metrics/query" cribl_function="get_destinations_metrics"

Get routes metrics:

| cribl account=cribl mode=post url="/api/v1/system/metrics/query" cribl_function="get_routes_metrics"

Troubleshooting

Logs

Internal REST API Logs

Available at: index=_internal sourcetype="cribl:rest_api"

Custom Command Logs

Available at: index=_internal sourcetype="cribl:custom_commands:cribl"

Connectivity Testing

Test connectivity before account creation:

| cribl mode=post url="/services/cribl/v1/test_cribl_connectivity" body="{'cribl_deployment_type': 'cloud', 'cribl_client_id': '<redacted_client_id>', 'cribl_client_secret': '<redacted_client_secret>'}"

Important Notes

  • Time Range Support: The integration automatically respects Splunk time range filters when working with metrics

  • API Limitations: Cribl API provides up to 3 hours of metrics with 10-second granularity, beyond which metrics are rolled up to 10-minute spans

  • JSON Parsing: Use spath command to extract fields from JSON API responses

  • Performance Testing: Add run_test=True to any command to get response time and status information

Download and Installation

GitHub Repository

TA-trackme-cribl

Download Page

TrackMe Solutions Downloads

License and Support

License

This application is licensed under the TrackMe EULA. See TrackMe License for details.

Terms & Conditions

Available at TrackMe Terms & Conditions

Support

Support information available at TrackMe Support