Skip to main content

Cribl LogStream

Overview#

important

The Cribl output is currently a technology preview. The design and implementation are less mature than stable features and subject to change.

The Cribl output can be used to send records to the Cribl LogStream HTTP/S (Bulk API).

EF_FLOW_OUTPUT_CRIBL_ENABLE#

Specifies whether the Cribl output is enabled.

  • Valid Values
    • true, false
  • Default
    • false

EF_FLOW_OUTPUT_CRIBL_ADDRESSES#

This setting specifies the Cribl workers to which the output should connect. It is a comma-separated list of Cribl workers, including port number.

warning

Do NOT include http:// or https:// in the provided value. TLS communications is enabled/disabled using EF_FLOW_OUTPUT_CRIBL_TLS_ENABLE.

  • Default
    • 127.0.0.1:10080

EF_FLOW_OUTPUT_CRIBL_TOKEN#

The Cribl data shipping token that the collector will use to send data.

  • Default
    • ''

EF_FLOW_OUTPUT_CRIBL_BATCH_DEADLINE#

The maximum time, in milliseconds, to wait for a batch of records to fill before being sent to Cribl.

  • Default
    • 2000

EF_FLOW_OUTPUT_CRIBL_BATCH_MAX_BYTES#

The maximum size, in bytes, for a batch of records being sent to Cribl.

  • Default
    • 8388608

EF_FLOW_OUTPUT_CRIBL_TLS_ENABLE#

This setting is used to enable/disable TLS connections to Cribl Logstream.

  • Valid Values
    • true, false
  • Default
    • false

EF_FLOW_OUTPUT_CRIBL_TLS_SKIP_VERIFICATION#

This setting is used to enable/disable TLS verification of the Cribl Logstream server to which the output is attempting to connect.

  • Valid Values
    • true, false
  • Default
    • false

EF_FLOW_OUTPUT_CRIBL_TLS_CA_CERT_FILEPATH#

The path to the Certificate Authority (CA) certificate to use for verification of the Cribl Logstream server to which the output is attempting to connect.

  • Default
    • ''

EF_FLOW_OUTPUT_CRIBL_DROP_FIELDS#

This setting allows for a comma-separated list of fields that are to be removed from all records.

note

Fields are dropped after any output specific fields have been added and after any schema conversion. This means that you should use the field names as you see them in the user interface.

  • Valid Values
    • any field names related to the enabled schema, comma-separated
  • Example
    • flow.export.sysuptime,flow.export.version.ver,flow.start.sysuptime,flow.end.sysuptime,flow.seq_num
  • Default
    • ''
Edit this page