Cribl

cribl cloud is a log management solution that provides centralized logging, data analysis, and real time visibility for organizations it allows for collecting, processing, and forwarding large volumes of log data from various sources in the cloud environment it provides features such as field extraction, aggregation, data routing, and alerting to enable organizations to quickly identify and respond to security threats, troubleshoot issues, and improve operations asset setup this connector supports the below authentication options oauth2 client credentials authentication for cribl cloud to set up the asset, you need the following inputs url client id client secret audience token url oauth2 password authentication for cribl onprem if you're using sso/openid connect authentication, you must toggle allow local auth on, because you'll need to be a local user when you authenticate via the api to set up the asset, you need the following inputs url username password capabilities this connector provides the following capabilities evaluate expression get dataset by id get datasets get job result get log by id get logs get lookup file by id get lookups get message by id get messages get notification by id get notification targets get processes get role by id get roles and so on api documentation link cribl api documentation link https //docs cribl io/api/ cribl authentication link https //docs cribl io/stream/api tutorials/#criblcloud free tier configurations http basic authentication authenticates cribl onprem using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional oauth 2 0 client credentials authenticates cribl cloud using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url string required client id the client id string required client secret the client secret string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional audience audience string required actions evaluate expression returns a list of exprlibentry objects endpoint url /lib/expression method post output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items context object output field context additionalprop1 object output field additionalprop1 evaltype string type of the resource expr string output field expr id string unique identifier pack string output field pack result object result of the operation additionalprop1 object output field additionalprop1 unprotected boolean output field unprotected example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "count" 123, "items" \[] } } ] get dataset by id get dataset by id endpoint url /search/datasets/{{id}} method get input argument name type required description id string required unique id output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "count" 123, "items" \[] } } ] get datasets get a list of dataset objects endpoint url /search/datasets method get output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "count" 123, "items" \[] } } ] get job result get results for a discover job by instance id endpoint url /jobs/{{id}}/results method get input argument name type required description id string required job instance id output parameter type description status code number http status code of the response reason string response reason phrase string string output field string example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "string" "string" } } ] get log by id get contents of the log file endpoint url /system/logs/{{id}} method get input argument name type required description id string required log id limit number optional maximum number of log lines to retrieve starting from offset endoffset number optional in the current log file to fetch the log events upto et number optional epoch timestamp of the earliest event (includes rolled files present on disk) lt number optional epoch timestamp of the latest event (includes rolled files present on disk) filter string optional filter output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items additionalprop1 object output field additionalprop1 example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] get logs get a list of log files endpoint url /system/logs method get output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items id string unique identifier path string output field path example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] get lookup file by id get lookupfile by id endpoint url /system/lookups/{{id}} method get input argument name type required description id string required unique id output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items fileinfo object output field fileinfo filename string name of the resource id string unique identifier description string output field description tags string output field tags size number output field size content string response content example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] get lookups get a list of lookupfile objects endpoint url /system/lookups method get output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items fileinfo object output field fileinfo filename string name of the resource id string unique identifier description string output field description tags string output field tags size number output field size content string response content example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] get message by id get bulletinmessage by id endpoint url /system/message/{{id}} method get input argument name type required description id string required unique id output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items id string unique identifier severity string output field severity title string output field title text string output field text time number time value group string output field group metadata array response data example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] get messages get a list of bulletinmessage objects endpoint url /system/messages method get output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items id string unique identifier severity string output field severity title string output field title text string output field text time number time value group string output field group metadata array response data example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] get notification by id get notification target by id endpoint url /notification targets/{{id}} method get input argument name type required description id string required unique id output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items id string unique identifier type string type of the resource systemfields array output field systemfields example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] get notification targets get a list of notificationtarget objects endpoint url /notification targets method get output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items id string unique identifier type string type of the resource systemfields array output field systemfields example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] get processes get a list of processes under management endpoint url /system/processes method get output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items env object output field env additionalprop1 object output field additionalprop1 id string unique identifier pid number unique identifier restartonexit boolean output field restartonexit restarts number output field restarts starttime number time value type string type of the resource example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] get role by id get role by id endpoint url /system/roles/{{id}} method get input argument name type required description id string required unique id output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items description string output field description id string unique identifier policy array output field policy tags array output field tags title string output field title example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] get roles get a list of role objects endpoint url /system/roles method get output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items description string output field description id string unique identifier policy array output field policy tags array output field tags title string output field title example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] get sample by id get datasample by id endpoint url /system/samples/{{id}} method get input argument name type required description id string required unique id output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items id string unique identifier samplename string name of the resource pipelineid string unique identifier description string output field description ttl number output field ttl tags string output field tags additionalprop1 object output field additionalprop1 example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] get samples get a list of datasample objects endpoint url /system/samples method get output parameter type description status code number http status code of the response reason string response reason phrase items array output field items samplename string name of the resource created number output field created istemplate boolean output field istemplate size number output field size numevents number output field numevents id string unique identifier modified number output field modified tstemplatefield string output field tstemplatefield count number count value example \[ { "status code" 200, "response headers" { "strict transport security" "max age=31536000; includesubdomains", "x cribl api cache control" "max age=300", "content type" "application/json; charset=utf 8", "content length" "3401", "date" "thu, 19 oct 2023 11 12 35 gmt", "connection" "keep alive", "keep alive" "timeout=5" }, "reason" "ok", "json body" { "items" \[], "count" 21 } } ] get saved job by id get savedjob by id endpoint url /lib/jobs/{{id}} method get input argument name type required description id string required unique id output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items id string unique identifier type string type of the resource ttl string output field ttl removefields array output field removefields resumeonboot boolean output field resumeonboot environment string output field environment schedule object output field schedule enabled boolean output field enabled cronschedule string output field cronschedule maxconcurrentruns number output field maxconcurrentruns skippable boolean output field skippable resumemissed string output field resumemissed run object output field run streamtags array output field streamtags workeraffinity boolean output field workeraffinity collector object output field collector type string type of the resource conf object output field conf destructive boolean output field destructive input object input data for the action type string type of the resource example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] get saved jobs get a list of savedjob objects endpoint url /lib/jobs method get output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items id string unique identifier type string type of the resource ttl string output field ttl removefields array output field removefields resumeonboot boolean output field resumeonboot environment string output field environment schedule object output field schedule enabled boolean output field enabled cronschedule string output field cronschedule maxconcurrentruns number output field maxconcurrentruns skippable boolean output field skippable resumemissed string output field resumemissed run object output field run streamtags array output field streamtags workeraffinity boolean output field workeraffinity collector object output field collector type string type of the resource conf object output field conf destructive boolean output field destructive input object input data for the action type string type of the resource example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] get saved queries get a list of savedquery objects endpoint url /search/saved method get output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items chartconfig object output field chartconfig axis object output field axis xaxis string output field xaxis yaxis array output field yaxis color string output field color colorpalette number output field colorpalette colorpalettereversed boolean output field colorpalettereversed data object response data connectnulls string output field connectnulls stack boolean output field stack decimals number output field decimals label string output field label legend object output field legend position string output field position truncate boolean output field truncate prefix string output field prefix series array output field series color string output field color name string name of the resource type object type of the resource yaxisfield string output field yaxisfield example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] get saved query by id get savedquery by id endpoint url /search/saved/{{id}} method get input argument name type required description id string required unique id output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items chartconfig object output field chartconfig axis object output field axis xaxis string output field xaxis yaxis array output field yaxis color string output field color colorpalette number output field colorpalette colorpalettereversed boolean output field colorpalettereversed data object response data connectnulls string output field connectnulls stack boolean output field stack decimals number output field decimals label string output field label legend object output field legend position string output field position truncate boolean output field truncate prefix string output field prefix series array output field series color string output field color name string name of the resource type object type of the resource yaxisfield string output field yaxisfield example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] get search job by id get searchjob by id endpoint url /search/jobs/{{id}} method get input argument name type required description id string required unique id output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items chartconfig object output field chartconfig axis object output field axis xaxis string output field xaxis yaxis array output field yaxis color string output field color colorpalette number output field colorpalette colorpalettereversed boolean output field colorpalettereversed data object response data connectnulls string output field connectnulls stack boolean output field stack decimals number output field decimals label string output field label legend object output field legend position string output field position truncate boolean output field truncate prefix string output field prefix series array output field series color string output field color name string name of the resource type object type of the resource yaxisfield string output field yaxisfield example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] get search jobs get a list of searchjob objects endpoint url /search/jobs method get output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items chartconfig object output field chartconfig axis object output field axis xaxis string output field xaxis yaxis array output field yaxis color string output field color colorpalette number output field colorpalette colorpalettereversed boolean output field colorpalettereversed data object response data connectnulls string output field connectnulls stack boolean output field stack decimals number output field decimals label string output field label legend object output field legend position string output field position truncate boolean output field truncate prefix string output field prefix series array output field series color string output field color name string name of the resource type object type of the resource yaxisfield string output field yaxisfield example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] get secret by id get restsecret by id endpoint url /system/secrets/{{id}} method get input argument name type required description id string required unique id output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items apikey string output field apikey description string output field description id string unique identifier password string output field password secretkey string output field secretkey secrettype string type of the resource tags string output field tags username string name of the resource value string value for the parameter example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] get secrets get a list of restsecret objects endpoint url /system/secrets method get output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items apikey string output field apikey description string output field description id string unique identifier password string output field password secretkey string output field secretkey secrettype string type of the resource tags string output field tags username string name of the resource value string value for the parameter example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] get user by id get user by id endpoint url /system/users/{{id}} method get input argument name type required description id string required unique id output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items currentpassword string output field currentpassword disabled boolean output field disabled email string output field email first string output field first id string unique identifier last string output field last password string output field password roles array output field roles username string name of the resource example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] get users get a list of user objects endpoint url /system/users method get output parameter type description status code number http status code of the response reason string response reason phrase count number count value items array output field items currentpassword string output field currentpassword disabled boolean output field disabled email string output field email first string output field first id string unique identifier last string output field last password string output field password roles array output field roles username string name of the resource example \[ { "status code" 200, "response headers" { "date" "fri, 06 oct 2023 06 05 14 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, max age=0, must revalidate", "strict transport security" "max age=31536000", "x frame options" "sameorigin", "x content type options" "nosniff" }, "reason" "ok", "json body" { "count" 0, "items" \[] } } ] response headers header description example cache control directives for caching mechanisms no cache, no store, private, max age=0, must revalidate connection http response header connection keep alive content length the length of the response body in bytes 3401 content type the media type of the resource application/json;charset=utf 8 date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt keep alive http response header keep alive timeout=5 strict transport security http response header strict transport security max age=31536000 transfer encoding http response header transfer encoding chunked x content type options http response header x content type options nosniff x cribl api cache control http response header x cribl api cache control max age=300 x frame options http response header x frame options sameorigin