Cribl Stream Integration
Route observability data from Cribl pipelines to TigerOps with format-preserving transforms. Reduce ingest volume, normalize schemas, and route enriched events without losing signal fidelity.
How It Works
Add TigerOps Destination
In Cribl Stream, create a new HTTP destination pointing to the TigerOps ingestion endpoint. Select the appropriate data format (OpenTelemetry, Splunk HEC, or raw HTTP) based on your pipeline.
Build Reduction Pipeline
Use Cribl pipelines to filter noise, mask PII, and reduce data volume before forwarding to TigerOps. Cribl's pre-processing reduces ingest costs without sacrificing signal fidelity.
Configure Format Transforms
Apply Cribl functions to normalize fields across sources (Splunk, syslog, CloudWatch) into a consistent schema before reaching TigerOps. Use auto-timestamp extraction for accurate log timing.
Validate and Route
Use Cribl's live capture and preview to validate that transformed events land correctly in TigerOps. Configure routing rules to send different data streams to TigerOps vs. other destinations.
What You Get Out of the Box
Format-Preserving Pipeline Routing
TigerOps accepts data routed from Cribl in OpenTelemetry, Splunk HEC, Elastic Common Schema, and raw JSON formats. Cribl's transforms run before ingestion, preserving field fidelity.
Pre-Ingestion Data Reduction
Use Cribl's sampling, aggregation, and suppress functions to reduce data volume by 30–70% before it reaches TigerOps. Lower ingest costs without losing high-value signals.
Multi-Source Schema Normalization
Normalize fields from Splunk, syslog, CloudWatch, and custom sources into a consistent TigerOps schema using Cribl lookup tables and rename functions. Query unified data without source-specific syntax.
PII Masking Before Ingestion
Apply Cribl regex and SHA-256 masking functions to sensitive fields (email, SSN, credit card) before data reaches TigerOps. Compliance requirements met at the pipeline layer.
Cribl Pipeline Health Monitoring
TigerOps ingests Cribl internal metrics (events in/out, drop rate, CPU, memory) to monitor pipeline health. Alert when a Cribl worker group falls behind or drops events.
Fanout to Multiple Destinations
Route processed data to TigerOps while simultaneously fanning out to S3 for cold storage or Splunk for legacy queries. Cribl clones events — no duplication cost in TigerOps.
Cribl Stream HTTP Destination
Configure a TigerOps HTTP destination in Cribl Stream using the UI or YAML config.
# Cribl Stream HTTP Destination — TigerOps
# Place in $CRIBL_HOME/local/cribl/outputs/tigerops.yml
output: tigerops
type: http
disabled: false
description: Forward processed events to TigerOps
url: https://ingest.atatus.net/otlp/v1/logs
compress: gzip
format: json_array
authType: manual
headers:
- name: Authorization
value: "Bearer ${TIGEROPS_API_KEY}"
- name: Content-Type
value: application/json
# Backpressure and retry settings
maxRetries: 3
retryIntervalSec: 5
timeoutSec: 30
flushPeriodSec: 1
maxPayloadSizeKB: 4096
# Pipeline example: reduce and enrich before sending
# Pipeline: tigerops-prep
# 1. Eval: __severity = severity || level || 'info'
# 2. Mask: mask email fields with SHA-256
# 3. Sample: drop 90% of DEBUG events
# 4. Rename: normalize 'msg' -> 'message', 'ts' -> '_time'Common Questions
Which Cribl Stream output formats does TigerOps accept?
TigerOps accepts OpenTelemetry (OTLP over HTTP), Splunk HEC, raw JSON over HTTP, and InfluxDB line protocol from Cribl. Use the HTTP destination in Cribl and select the format matching your TigerOps endpoint.
Can I reduce Cribl data volume before it reaches TigerOps?
Yes — that is the primary value of this integration. Use Cribl's Sampling, Suppress, Aggregate, and Drop functions to eliminate noise. Customers typically reduce volume by 40–60% while retaining all actionable signals.
Does TigerOps support Cribl Edge as well as Cribl Stream?
Yes. Cribl Edge workers can forward to TigerOps using the same HTTP destination configuration. Edge is particularly useful for collecting endpoint logs and forwarding only filtered, enriched events to TigerOps.
How do I monitor Cribl Stream itself with TigerOps?
Enable the Cribl internal metrics output and create a route that sends cribl_* metrics to TigerOps via the HTTP destination. TigerOps provides a pre-built Cribl health dashboard covering throughput, backpressure, and worker CPU.
Can Cribl Stream help me migrate from Splunk to TigerOps?
Yes. Cribl is an effective migration bridge. Route existing Splunk forwarder traffic through Cribl, apply field mapping transforms to normalize Splunk sourcetypes into TigerOps schema, and fan out to both destinations during the transition period.
Route Smarter Data to TigerOps via Cribl
Reduce ingest volume by up to 60%, normalize schemas, and route enriched observability data to TigerOps in minutes.