Skip to main content

I am kinda being nudged into a move from a Standalone to a distributed setup. So have to start playing in the lab with this before I plan it out in production. Does any cribl’er have any write ups or discussions here where such a thing has been talked over that I can review before embarking on this adventure.

My end goal is to have a Cribl Stream Distributed + A handful of Edge clients to start with(and a ton of Splunk Universal Forwarders sending out stuff to the worker node).

Changing an install to leader from standalone is not destructive. The settings just get a new level (by group) so you gotta move around a few things. Verify git is installed before proceeding. which git

Method 1:

  • Change existing install to Leader and restart
  • Copy old configs: rsync -a $CRIBL/local/cribl/ $CRIBL/groups/default/local/cribl/
  • Restart
  • Commit/deploy

Method 2:

  • Bring up a new host, set to Leader and restart if required
  • Copy old configs: rsync -a $CRIBL/local/cribl/ NEWLEADER:$CRIBL/groups/default/local/cribl/
  • Restart
  • Commit/deploy

Please note, this does work but there are a few caveats to be aware of.

  1. None of the packs are migrated over, and you have to manually import them or use the rest api(which is a bit weird + unfortunately inconsistent documentation which just made me give up and go low tech and import it in the ui)
  2. When you do copy over the $CRIBL_HOME/local/cribl/cribl.yml into $CRIBL_HOME/groups/default/local/cribl/cribl.yml you are going to have all your stand alone settings, you will have to manually edit it to reflect the worker settings and restart.

Reply


Terms & ConditionsCookie settings