Migrate from Cribl Standalone to Cribl Distributed(+ Edge)

Question

I am kinda being nudged into a move from a Standalone to a distributed setup. So have to start playing in the lab with this before I plan it out in production. Does any cribl’er have any write ups or discussions here where such a thing has been talked over that I can review before embarking on this adventure.

My end goal is to have a Cribl Stream Distributed + A handful of Edge clients to start with(and a ton of Splunk Universal Forwarders sending out stuff to the worker node).

Jon Rust · Accepted Answer

Changing an install to leader from standalone is not destructive. The settings just get a new level (by group) so you gotta move around a few things. Verify git is installed before proceeding. which git

Method 1:

Change existing install to Leader and restart
Copy old configs: rsync -a $CRIBL/local/cribl/ $CRIBL/groups/default/local/cribl/
Restart
Commit/deploy

Method 2:

Bring up a new host, set to Leader and restart if required
Copy old configs: rsync -a $CRIBL/local/cribl/ NEWLEADER:$CRIBL/groups/default/local/cribl/
Restart
Commit/deploy

Govardhanen Gopal · Answer

Please note, this does work but there are a few caveats to be aware of.None of the packs are migrated over, and you have to manually import them or use the rest api(which is a bit weird + unfortunately inconsistent documentation which just made me give up and go low tech and import it in the ui)When you do copy over the $CRIBL_HOME/local/cribl/cribl.yml into $CRIBL_HOME/groups/default/local/cribl/cribl.yml you are going to have all your stand alone settings, you will have to manually edit it to reflect the worker settings and restart.

Sign up

Using your Cribl.Cloud account

Login to the community

Using your Cribl.Cloud account

Scanning file for viruses.

This file cannot be downloaded