The Cribl Stream API provides programmatic access to Cribl Stream, an observability pipeline platform that processes and routes telemetry data in real time. Through the API, developers can manage pipelines, routes, sources, destinations, and worker groups. It enables automation of data collection, transformation, and routing workflows.
openapi: 3.1.0
info:
title: Cribl Stream API
description: >-
The Cribl Stream API provides programmatic access to Cribl Stream, an
observability pipeline platform that processes and routes telemetry data
in real time. Through the API, developers can manage pipelines, routes,
sources, destinations, and worker groups. It enables automation of data
collection, transformation, and routing workflows, allowing
organizations to control how observability data flows between sources
and analytics tools without vendor lock-in. Stream API endpoints are
accessed through the Cribl Cloud control plane or directly on
on-premises deployments.
version: '1.0'
contact:
name: Cribl Support
url: https://cribl.io/support/
termsOfService: https://cribl.io/terms-of-service/
externalDocs:
description: Cribl Stream Documentation
url: https://docs.cribl.io/stream/
servers:
- url: https://{workspaceName}-{organizationId}.cribl.cloud/api/v1
description: Cribl Cloud
variables:
workspaceName:
default: default
description: The name of the Cribl Cloud workspace
organizationId:
default: org-id
description: The Cribl Cloud organization identifier
- url: https://{hostname}:{port}/api/v1
description: On-Premises Deployment
variables:
hostname:
default: localhost
description: The hostname of the Cribl instance
port:
default: '9000'
description: The port of the Cribl instance
tags:
- name: Collectors
description: >-
Manage scheduled and on-demand data collection tasks using REST API,
database, script, and S3 collectors for batch data ingestion.
- name: Destinations
description: >-
Manage Stream data output destinations including Splunk, S3,
Elasticsearch, Kafka, webhook, and other analytics platforms.
- name: Functions
description: >-
Retrieve available Stream processing functions for use in pipelines
including eval, regex extract, rename, mask, aggregate, and others.
- name: Lookups
description: >-
Manage lookup files and tables used for enriching events during
pipeline processing with reference data.
- name: Notifications
description: >-
Configure notification rules for monitoring data flow rates and
system events with webhook and PagerDuty targets.
- name: Packs
description: >-
Install and manage reusable configuration packs containing bundled
pipelines, routes, sources, destinations, and other Stream resources.
- name: Pipelines
description: >-
Manage Stream processing pipelines containing ordered sequences of
functions for transforming, filtering, and enriching events in
real time.
- name: Routes
description: >-
Manage Stream routes that apply filter expressions on incoming events
to send matching results to appropriate pipelines and destinations.
- name: Sources
description: >-
Manage Stream data input sources including Syslog, HTTP, Kafka,
Splunk HEC, TCP JSON, file monitors, and other protocol endpoints.
- name: Worker Groups
description: >-
Manage Stream worker groups that organize worker nodes and deploy
shared pipeline configurations across clusters.
security:
- bearerAuth: []
paths:
/m/{groupId}/pipelines:
get:
operationId: listStreamPipelines
summary: List Stream pipelines in a worker group
description: >-
Retrieves all processing pipelines configured within a specific
worker group context, including their function chains and settings.
tags:
- Pipelines
parameters:
- $ref: '#/components/parameters/groupId'
responses:
'200':
description: Successfully retrieved pipelines
content:
application/json:
schema:
type: object
properties:
items:
type: array
items:
$ref: '#/components/schemas/Pipeline'
count:
type: integer
description: Total number of pipelines
'401':
description: Unauthorized
'404':
description: Worker group not found
post:
operationId: createStreamPipeline
summary: Create a Stream pipeline in a worker group
description: >-
Creates a new processing pipeline within a specific worker group
with the specified functions and configuration for real-time
data transformation.
tags:
- Pipelines
parameters:
- $ref: '#/components/parameters/groupId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/Pipeline'
responses:
'200':
description: Pipeline created successfully
content:
application/json:
schema:
$ref: '#/components/schemas/Pipeline'
'400':
description: Invalid pipeline configuration
'401':
description: Unauthorized
/m/{groupId}/pipelines/{id}:
get:
operationId: getStreamPipeline
summary: Get a Stream pipeline by ID
description: >-
Retrieves the configuration of a specific Stream pipeline within
a worker group context.
tags:
- Pipelines
parameters:
- $ref: '#/components/parameters/groupId'
- $ref: '#/components/parameters/resourceId'
responses:
'200':
description: Successfully retrieved pipeline
content:
application/json:
schema:
$ref: '#/components/schemas/Pipeline'
'401':
description: Unauthorized
'404':
description: Pipeline not found
patch:
operationId: updateStreamPipeline
summary: Update a Stream pipeline
description: >-
Updates the configuration of an existing Stream pipeline within
a worker group context.
tags:
- Pipelines
parameters:
- $ref: '#/components/parameters/groupId'
- $ref: '#/components/parameters/resourceId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/Pipeline'
responses:
'200':
description: Pipeline updated successfully
content:
application/json:
schema:
$ref: '#/components/schemas/Pipeline'
'400':
description: Invalid pipeline configuration
'401':
description: Unauthorized
'404':
description: Pipeline not found
delete:
operationId: deleteStreamPipeline
summary: Delete a Stream pipeline
description: >-
Deletes a processing pipeline from a worker group by its unique
ID. The pipeline must not be referenced by active routes.
tags:
- Pipelines
parameters:
- $ref: '#/components/parameters/groupId'
- $ref: '#/components/parameters/resourceId'
responses:
'200':
description: Pipeline deleted successfully
'401':
description: Unauthorized
'404':
description: Pipeline not found
/m/{groupId}/routes:
get:
operationId: listStreamRoutes
summary: List Stream routes in a worker group
description: >-
Retrieves all routes configured within a worker group context that
filter and direct incoming data to pipelines and destinations.
tags:
- Routes
parameters:
- $ref: '#/components/parameters/groupId'
responses:
'200':
description: Successfully retrieved routes
content:
application/json:
schema:
type: object
properties:
items:
type: array
items:
$ref: '#/components/schemas/Route'
count:
type: integer
description: Total number of routes
'401':
description: Unauthorized
'404':
description: Worker group not found
post:
operationId: createStreamRoute
summary: Create a Stream route in a worker group
description: >-
Creates a new route within a worker group to filter and direct
incoming events to specified pipelines and destinations.
tags:
- Routes
parameters:
- $ref: '#/components/parameters/groupId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/Route'
responses:
'200':
description: Route created successfully
content:
application/json:
schema:
$ref: '#/components/schemas/Route'
'400':
description: Invalid route configuration
'401':
description: Unauthorized
/m/{groupId}/system/sources:
get:
operationId: listStreamSources
summary: List Stream sources in a worker group
description: >-
Retrieves all data input sources configured within a specific
worker group including Syslog, HTTP, Kafka, and other sources.
tags:
- Sources
parameters:
- $ref: '#/components/parameters/groupId'
responses:
'200':
description: Successfully retrieved sources
content:
application/json:
schema:
type: object
properties:
items:
type: array
items:
$ref: '#/components/schemas/Source'
count:
type: integer
description: Total number of sources
'401':
description: Unauthorized
'404':
description: Worker group not found
post:
operationId: createStreamSource
summary: Create a Stream source in a worker group
description: >-
Creates a new data input source within a worker group with the
specified type and configuration for data collection.
tags:
- Sources
parameters:
- $ref: '#/components/parameters/groupId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/Source'
responses:
'200':
description: Source created successfully
content:
application/json:
schema:
$ref: '#/components/schemas/Source'
'400':
description: Invalid source configuration
'401':
description: Unauthorized
/m/{groupId}/system/outputs:
get:
operationId: listStreamDestinations
summary: List Stream destinations in a worker group
description: >-
Retrieves all data output destinations configured within a
specific worker group context.
tags:
- Destinations
parameters:
- $ref: '#/components/parameters/groupId'
responses:
'200':
description: Successfully retrieved destinations
content:
application/json:
schema:
type: object
properties:
items:
type: array
items:
$ref: '#/components/schemas/Destination'
count:
type: integer
description: Total number of destinations
'401':
description: Unauthorized
'404':
description: Worker group not found
post:
operationId: createStreamDestination
summary: Create a Stream destination in a worker group
description: >-
Creates a new data output destination within a worker group with
the specified type and configuration.
tags:
- Destinations
parameters:
- $ref: '#/components/parameters/groupId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/Destination'
responses:
'200':
description: Destination created successfully
content:
application/json:
schema:
$ref: '#/components/schemas/Destination'
'400':
description: Invalid destination configuration
'401':
description: Unauthorized
/system/functions:
get:
operationId: listStreamFunctions
summary: List available Stream functions
description: >-
Retrieves all available processing functions that can be used in
Stream pipelines including eval, regex extract, rename, mask,
aggregate, publish metrics, and others.
tags:
- Functions
responses:
'200':
description: Successfully retrieved functions
content:
application/json:
schema:
type: object
properties:
items:
type: array
items:
$ref: '#/components/schemas/Function'
count:
type: integer
description: Total number of functions
'401':
description: Unauthorized
/master/groups:
get:
operationId: listWorkerGroups
summary: List all Stream worker groups
description: >-
Retrieves all worker groups configured for Stream deployments
including their node counts and configuration versions.
tags:
- Worker Groups
responses:
'200':
description: Successfully retrieved worker groups
content:
application/json:
schema:
type: object
properties:
items:
type: array
items:
$ref: '#/components/schemas/WorkerGroup'
count:
type: integer
description: Total number of worker groups
'401':
description: Unauthorized
post:
operationId: createWorkerGroup
summary: Create a worker group
description: >-
Creates a new Stream worker group for organizing and deploying
configurations to a set of worker nodes.
tags:
- Worker Groups
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/WorkerGroup'
responses:
'200':
description: Worker group created successfully
content:
application/json:
schema:
$ref: '#/components/schemas/WorkerGroup'
'400':
description: Invalid group configuration
'401':
description: Unauthorized
/master/groups/{id}/deploy:
post:
operationId: deployWorkerGroup
summary: Deploy configuration to a worker group
description: >-
Deploys the current configuration to all worker nodes in the
specified group, making configuration changes effective.
tags:
- Worker Groups
parameters:
- $ref: '#/components/parameters/resourceId'
responses:
'200':
description: Deployment initiated successfully
'401':
description: Unauthorized
'404':
description: Worker group not found
/system/collectors:
get:
operationId: listStreamCollectors
summary: List all Stream collectors
description: >-
Retrieves all configured data collection tasks for batch
ingestion from REST APIs, databases, scripts, and cloud storage.
tags:
- Collectors
responses:
'200':
description: Successfully retrieved collectors
content:
application/json:
schema:
type: object
properties:
items:
type: array
items:
$ref: '#/components/schemas/Collector'
count:
type: integer
description: Total number of collectors
'401':
description: Unauthorized
/packs:
get:
operationId: listStreamPacks
summary: List all installed Stream packs
description: >-
Retrieves all installed configuration packs containing bundled
pipelines, routes, and other Stream resources.
tags:
- Packs
responses:
'200':
description: Successfully retrieved packs
content:
application/json:
schema:
type: object
properties:
items:
type: array
items:
$ref: '#/components/schemas/Pack'
count:
type: integer
description: Total number of packs
'401':
description: Unauthorized
post:
operationId: installStreamPack
summary: Install a Stream pack
description: >-
Installs a configuration pack from a source URL or uploads a
pack archive containing bundled Stream resources.
tags:
- Packs
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/Pack'
responses:
'200':
description: Pack installed successfully
content:
application/json:
schema:
$ref: '#/components/schemas/Pack'
'400':
description: Invalid pack configuration
'401':
description: Unauthorized
/system/lookups:
get:
operationId: listStreamLookups
summary: List all Stream lookups
description: >-
Retrieves all configured lookup files and tables used for
enriching events during Stream pipeline processing.
tags:
- Lookups
responses:
'200':
description: Successfully retrieved lookups
content:
application/json:
schema:
type: object
properties:
items:
type: array
items:
$ref: '#/components/schemas/Lookup'
count:
type: integer
description: Total number of lookups
'401':
description: Unauthorized
/notifications:
get:
operationId: listStreamNotifications
summary: List Stream notification rules
description: >-
Retrieves all configured notification rules for monitoring
Stream data flow rates and triggering alerts via webhook
or PagerDuty targets.
tags:
- Notifications
responses:
'200':
description: Successfully retrieved notification rules
content:
application/json:
schema:
type: object
properties:
items:
type: array
items:
$ref: '#/components/schemas/Notification'
count:
type: integer
description: Total number of notification rules
'401':
description: Unauthorized
components:
securitySchemes:
bearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
description: >-
Bearer token obtained via OAuth 2.0 client credentials grant
(Cribl Cloud) or the /auth/login endpoint (on-premises).
parameters:
groupId:
name: groupId
in: path
required: true
description: The worker group or fleet identifier
schema:
type: string
resourceId:
name: id
in: path
required: true
description: The unique identifier of the resource
schema:
type: string
schemas:
Pipeline:
type: object
properties:
id:
type: string
description: Unique identifier for the pipeline
conf:
type: object
description: Pipeline configuration object
properties:
functions:
type: array
description: Ordered list of processing functions
items:
$ref: '#/components/schemas/PipelineFunction'
description:
type: string
description: A human-readable description
asyncFuncTimeout:
type: integer
description: Timeout for async functions in milliseconds
output:
type: string
description: Default output destination
streamtags:
type: array
items:
type: string
description: Tags applied to events in this pipeline
PipelineFunction:
type: object
properties:
id:
type: string
description: The function type identifier
filter:
type: string
description: JavaScript expression to filter events
disabled:
type: boolean
description: Whether this function is disabled
conf:
type: object
description: Function-specific configuration
description:
type: string
description: A human-readable description
Route:
type: object
properties:
id:
type: string
description: Unique identifier for the route
name:
type: string
description: Display name for the route
filter:
type: string
description: JavaScript filter expression for matching events
pipeline:
type: string
description: The pipeline ID for processing matched events
output:
type: string
description: The destination ID for processed events
final:
type: boolean
description: Whether matched events stop further evaluation
disabled:
type: boolean
description: Whether this route is disabled
description:
type: string
description: A human-readable description
Source:
type: object
properties:
id:
type: string
description: Unique identifier for the source
type:
type: string
description: >-
The source type such as syslog, http, kafka, splunk_tcp,
tcp_json, file_monitor, or others
disabled:
type: boolean
description: Whether the source is disabled
host:
type: string
description: The host or address to listen on
port:
type: integer
description: The port number to listen on
pipeline:
type: string
description: The pipeline to process events from this source
description:
type: string
description: A human-readable description
streamtags:
type: array
items:
type: string
description: Tags applied to events from this source
Destination:
type: object
properties:
id:
type: string
description: Unique identifier for the destination
type:
type: string
description: >-
The destination type such as splunk, s3, elasticsearch,
webhook, syslog, kafka, or others
disabled:
type: boolean
description: Whether the destination is disabled
host:
type: string
description: The target host address
port:
type: integer
description: The target port number
description:
type: string
description: A human-readable description
streamtags:
type: array
items:
type: string
description: Tags for filtering events
Function:
type: object
properties:
id:
type: string
description: Unique identifier for the function type
category:
type: string
description: The function category
description:
type: string
description: A human-readable description
WorkerGroup:
type: object
properties:
id:
type: string
description: Unique identifier for the worker group
name:
type: string
description: Display name for the worker group
description:
type: string
description: A human-readable description
workerCount:
type: integer
description: Number of connected worker nodes
configVersion:
type: string
description: The current deployed configuration version
tags:
type: object
description: Key-value tags for organizing groups
Collector:
type: object
properties:
id:
type: string
description: Unique identifier for the collector
type:
type: string
description: The collector type such as rest, script, or database
schedule:
type: object
description: The collection schedule configuration
properties:
cronSchedule:
type: string
description: Cron expression for scheduled collection
enabled:
type: boolean
description: Whether the schedule is enabled
conf:
type: object
description: Collector-specific configuration
description:
type: string
description: A human-readable description
Pack:
type: object
properties:
id:
type: string
description: Unique identifier for the pack
source:
type: string
description: The source URL or registry path
version:
type: string
description: The installed version
author:
type: string
description: The pack author
description:
type: string
description: A human-readable description
displayName:
type: string
description: The display name
Lookup:
type: object
properties:
id:
type: string
description: Unique identifier for the lookup
type:
type: string
description: The lookup type such as file or database
fileInfo:
type: object
description: File-based lookup metadata
properties:
filename:
type: string
description: The lookup filename
size:
type: integer
description: The file size in bytes
description:
type: string
description: A human-readable description
Notification:
type: object
properties:
id:
type: string
description: Unique identifier for the notification rule
type:
type: string
description: The notification type
targets:
type: array
description: List of notification targets
items:
type: object
properties:
type:
type: string
description: Target type such as webhook or pagerduty
url:
type: string
description: The target webhook URL
description:
type: string
description: A human-readable description