playbooks

home / mcp / cribl mcp server

Cribl MCP Server

Provides access to Cribl deployments for querying groups, sources, destinations, pipelines, routes, breakers, and lookups.

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "atree1023-snc-cribl-mcp": {
      "url": "https://<cribl-host>/mcp",
      "headers": {
        "LOG_LEVEL": "INFO",
        "CRIBL_PASSWORD": "YOUR_PASSWORD",
        "CRIBL_USERNAME": "YOUR_USERNAME",
        "CRIBL_SERVER_URL": "https://<cribl-host>/mcp",
        "CRIBL_TIMEOUT_MS": "30000",
        "CRIBL_VERIFY_SSL": "true"
      }
    }
  }
}

This MCP server provides structured access to Cribl deployments, letting you query worker groups, fleets, sources, destinations, pipelines, routes, event breakers, and lookups. It handles authentication, token refresh, and presents data in a consistent JSON format that AI assistants or orchestration tools can consume to manage and monitor Cribl environments.

How to use

Start the MCP server and connect your MCP client to explore Cribl deployments. You can list groups, sources, destinations, pipelines, routes, breakers, and lookups, and then drill into detailed configurations for each item. Use the client to fetch data on a per-product basis (Stream for worker groups and Edge for fleets) or to retrieve all configured objects across your entire Cribl deployment.

How to install

Prerequisites: you need Python 3.14 or higher and the uv package runner. You also need access to a Cribl deployment with valid credentials.

# Clone the repository
git clone <repository-url>
cd snc_cribl_mcp

# Install dependencies using uv
uv sync

Configuration and usage notes

Configure access to Cribl by setting environment variables in a local environment file or your runtime environment. This controls how the MCP server authenticates to Cribl and how verbose it is during operation.

The server supports automatic token management for customer-managed Cribl deployments and uses bearer tokens for authentication.

Authentication and security

The MCP server authenticates to Cribl using bearer tokens. Tokens are retrieved automatically using your credentials and refreshed as needed. For production use, enable TLS and use HTTPS endpoints.

Troubleshooting tips

If you encounter authentication issues, check that your Cribl credentials are correct and that token refresh is functioning. Verify SSL settings if you are using HTTPS, and inspect log levels to gather more details about failures.

Tools and capabilities overview

The MCP server exposes a set of tools that let you discover and enumerate Cribl configurations across your deployment. These include listing groups, sources, destinations, pipelines, routes, breakers, and lookups.

Available tools

list_groups

Lists all Stream worker groups and Edge fleets from your Cribl deployment. Returns structured data including group IDs, names, descriptions, and configurations.

list_sources

Lists all configured sources across all groups and products, including regular sources and collector sources, with IDs, types, and configurations.

list_destinations

Lists all configured destinations across all groups and products with IDs, types, and configurations.

list_pipelines

Lists all configured pipelines across all groups and products with IDs, names, and configurations.

list_routes

Lists all configured routes across all groups and products with IDs, names, filters, destinations, and referenced pipelines.

list_breakers

Lists all configured event breakers across all groups and products with rules and configurations.

list_lookups

Lists all configured lookups across all groups and products with IDs, file info, and configurations.