Cribl Spring Cleaning Checklist
This post outlines a set of suggestions and topics to revisit when reviewing your Cribl deployment. Whether you’re closing out a project or doing regular maintenance, a thoughtful review can help keep things tidy, intentional, and easier to manage over time.
- Review and update your architectural Diagrams
You should review your architectural diagrams and documentation to ensure all the Worker Groups/Fleets are correctly tracked. With the ability to create groups easily, original design documents may no longer be current. Outdated documentation can easily lead to confusion and misunderstandings.
- Review comments, readmes and descriptions
Comments and notes can sometimes age poorly. I recommend reviewing your packs and pipelines to ensure you can still follow the logical flow of what is trying to be accomplished. This task is ideally done with a colleague who wasn’t the original pack/pipeline author to see how easy everything is to understand.
- Disable unused Cribl Sources
This tip is most relevant when setting up a worker group but can be done periodically. Are any sources or ports no longer being used? If so, disabling and/or removing them can simplify your deployment. However, always double check it’s not just a very quiet source before making any disruptive changes.
- Delete* outdated samples
Whilst testing and developing occurs you’ll likely accumulate some samples which are no longer relevant and outdated. For example, if you’ve changed your event breaking and or pre processing pipelines, older stage 2 captures no longer reflect “true” data flows. Removing these samples helps ensure people know where to look and limits the risk of confusion.
- Delete* unused packs and pipelines
Similarly to the previous suggestion, you’ll likely have plenty of pipelines that may have been tested or are no longer relevant. Removing these reduces the risk of referencing an old or broken pipeline and the chance of future error.
* - As an alternative to deleting, you can export these samples, packs and pipelines into long term storage. This can be essential for compliance and traceability but can also assist with training new members of staff with a Cribl story and examples of improvement.
- Collect current samples
Once removing all the outdated samples, it may be appropriate to capture new data samples. This is a vital aid for regression analysis and drift detection so is worth the time to manage. When collecting these samples, ensure they have an appropriate title and description to make them easy to understand.
- RBAC access review
There’s never a better time to review role based access than today! Across a project you may have granted temporary access to staff or contractors that is no longer required. Tidying up these accounts is advised. Additionally, you may also note some accounts have excessive permissions and should be reduced.
- Review Notification settings
Whilst we are excited about Cribl Insights coming along soon to change the way we monitor our Cribl deployments, notifications remain the best thing you can review today! Having low/no/high alerting thresholds is a good way to get notified and take action in the event of a fault condition. A superstitious person may say the source without notifications gets the fault so take action to avoid.
- Clear your commits and update to the latest version
The latest version of Cribl code will always be the greatest one to be on. If running older versions, I’d recommend reading the change logs and start planning for upgrades.
Keeping a Cribl environment healthy isn’t about big overhauls, it’s about regular, thoughtful review.
Use this checklist whenever things start to feel a little cluttered.