by pebbletek
Streamline DevOps workflows by managing configurations, pipelines, and metrics with Cribl Stream for optimized data proc
Connects AI clients to Cribl Stream deployments for managing data processing configurations, pipelines, and monitoring system metrics through a standardized API interface.
Cribl Stream is a community-built MCP server published by pebbletek that provides AI assistants with tools and capabilities via the Model Context Protocol. Streamline DevOps workflows by managing configurations, pipelines, and metrics with Cribl Stream for optimized data proc It is categorized under developer tools, analytics data.
You can install Cribl Stream in your AI client of choice. Use the install panel on this page to get one-click setup for Cursor, Claude Desktop, VS Code, and other MCP-compatible clients. This server runs locally on your machine via the stdio transport.
MIT
Cribl Stream is released under the MIT license. This is a permissive open-source license, meaning you can freely use, modify, and distribute the software.
Add new capabilities to Claude beyond text generation
Example
Access external data sources, execute code, interact with tools and services
Transform Claude from chatbot to action-taking agent
Provide Claude with access to relevant context and data
Example
Load project documentation, access knowledge bases, query databases
Get more accurate, context-aware responses
Automate multi-step workflows combining AI and external tools
Example
Research → Summarize → Create document → Send notification
Complete complex tasks end-to-end without manual steps
Share your MCP server with the developer community
Cribl Stream has been reliable for tool-calling workflows; the MCP profile page is a good permalink for internal docs.
Cribl Stream is among the better-indexed MCP projects we tried; the explainx.ai summary tracks the official description.
Strong directory entry: Cribl Stream surfaces stars and publisher context so we could sanity-check maintenance before adopting.
Cribl Stream is a well-scoped MCP server in the explainx.ai directory — install snippets and categories matched our Claude Code setup.
I recommend Cribl Stream for teams standardizing on MCP; the explainx.ai page compares cleanly with sibling servers.
Cribl Stream reduced integration guesswork — categories and install configs on the listing matched the upstream repo.
I recommend Cribl Stream for teams standardizing on MCP; the explainx.ai page compares cleanly with sibling servers.
We evaluated Cribl Stream against two servers with overlapping tools; this profile had the clearer scope statement.
According to our notes, Cribl Stream benefits from clear Model Context Protocol framing — fewer ambiguous “AI plugin” claims.
We evaluated Cribl Stream against two servers with overlapping tools; this profile had the clearer scope statement.
showing 1-10 of 73
A Model Context Protocol (MCP) server that enables AI interactions with the Cribl API.
This server allows AI clients to discover and invoke data operations from a Cribl deployment, using standardised MCP tooling.
For detailed documentation, please see the docs/ directory. Here's a breakdown of the documentation files:
README.md (this file): Provides the highest-level introduction, quick start instructions, very basic examples, and links to the docs directory.docs/configuration.md: Focuses specifically on the environment variables needed for configuration and explains the authentication modes. It's purely about setup.docs/usage.md: Focuses on how to run the server (via npx or local development commands) and how to configure an MCP client to connect to it. It provides conceptual examples of invoking the tools.docs/overview.md: Sits between the README and the specific config/usage docs. It details what the server offers in terms of authentication and, most importantly, provides a detailed reference guide to the available tools and their specific parameters/outputs, and future tools.You can either install and run locally, or execute instantly via npx. npx saves you installing Git, dependencies, or any build tools. Both scenarios require you to have node later than version 16 installed:
To run this server ensure the following:
You can install Node.js from https://nodejs.org.
To verify your setup:
node -v
npx -v
npxCRIBL_BASE_URL=https://your.cribl.cloud.instance CRIBL_AUTH_TYPE=cloud CRIBL_CLIENT_ID=abc123 CRIBL_CLIENT_SECRET=secret npx @pebbletek/cribl-mcp
Note: Running npx requires essential environment variables (like CRIBL_BASE_URL and authentication details) to be set either in your environment or passed directly on the command line for the server to connect successfully.
See docs/usage.md for advanced npx usage configuration, including relevant JSON for your MCP client, and required variables.
git clone https://github.com/pebbletek/cribl-mcp.git
cd cribl-mcp
npm install
.env.example file and populate the required values:
cp .env.example .env
See docs/configuration.md for details on environment variables and authentication, and docs/usage.md for running the server.
This server provides tools to interact with Cribl, including:
For a detailed list and usage instructions, see docs/usage.md.
Once connected via an MCP client (like Claude Desktop), you can interact with your Cribl instance using natural language prompts that leverage the available tools. Here are some examples:
Prompt: what sources are we ingesting?
(you will need to allow the MCP client access to the tool)
Response will be something like:
"To answer your question about ingested sources, let me check the available data sources in your Cribl Stream environment.
<View result from cribl_getSources from Cribl (local)>
Let me also check what pipelines are configured in your Cribl Stream environment:
<View result from cribl_getPipelines from Cribl (local)>
Based on the information I've retrieved from your Cribl Stream environment, here are the sources you are ingesting:
Active Data Sources
Your Cribl Stream instance has several configured data sources, with the following notable ones:
Pipeline Configurations
Your environment also has several pipelines configured for processing specific data types:
These pipelines suggest you're ingesting network security logs from Cisco ASA firewalls, Cisco eStreamer (likely from Firepower/FTD devices), Palo Alto Networks firewalls, and Windows security events.
Would you like more detailed information about any specific source or pipeline configuration?"
Prompt: what functions are processing the palo alto traffic?
Response:
"Let me examine the functions that are processing the Palo Alto traffic in more detail:
<View result from cribl_getPipelineConfig from Cribl (local)>
Here's a detailed breakdown of how the Palo Alto traffic data is being processed in your Cribl Stream environment:
Palo Alto Traffic Pipeline Functions
1. Initial Filter (Eval):
2. Field Extraction (Regex Extract):
3. Filtering Events (Drop):
Prompt: please update the pipeline to include start events as well as end events.
Response:
"I'll update the Palo Alto traffic pipeline to include both "start" and "end" events by modifying the configuration. Let me make this change for you:
<View result from cribl_getPipelineConfig from Cribl (local)>
Now I'll update the pipeline configuration to keep both "start" and "end" events by disabling the drop function and updating the comments:
<View result from cribl_setPipelineConfig from Cribl (local)>
Now let's restart the worker group to apply these changes: <View result from cribl_restartWorkerGroup from Cribl (local)>
The Palo Alto traffic pipeline has been successfully updated to include both "start" and "end" events. Here's what I modified:
Disabled the Drop Function:
Updated the Comment:
Restarted the Worker Group:
The updated pipeline will now process both "start" and "end" events from your Palo Alto firewalls, giving you complete visibility into traffic sessions from initiation through completion. All other processing functions remain in place, including:
Your Palo Alto traffic data will now include the complete lifecycle of network connections while still maintaining the efficiency benefits of the sampling rules."
MIT
Prerequisites
Time Estimate
15-60 minutes depending on server complexity
Steps
Troubleshooting
✓ Do
✗ Don't
💡 Pro Tips
Architecture
Model Context Protocol standardizes how AI hosts (Claude, Cursor) communicate with external tools and data sources through server implementations.
Protocols
Compatibility
✓ Use when
Use when you need Claude to access external data, execute actions, or integrate with tools. Best for extending AI capabilities beyond conversation.
✗ Avoid when
Avoid when native integrations exist (use official APIs directly), for real-time critical systems, or when security/compliance requires zero external dependencies.