Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.jacobpevans.com/llms.txt

Use this file to discover all available pages before exploring further.

One picture: every collector, what it collects, where it runs, what it forwards to.
The monitoring stack runs across four hosts: the homelab Proxmox cluster, the macOS workstation, the OrbStack K8s cluster on that workstation, and the AWS-side Splunk install. Each tier picks the lowest-overhead path the host OS supports natively. This page maps every collector to a host and a destination.

The collectors

CollectorWhere it runsWhat it collectsForwards to
cribl-edge (homelab)LXC on Proxmox, deployed by ansible-proxmox-appsHAProxy syslog/NetFlow, host telemetry from Proxmox guestscribl-stream (homelab)
cribl-stream (homelab)LXC on Proxmox, deployed by ansible-proxmox-appsEdge events, ingest reduction, routingSplunk HEC (ansible-splunk)
cribl-edge (Mac native)Native macOS Cribl Edge install (Nix-managed)macOS unified logs, system metrics, thermal, powermetrics, battery via cc-edge-the-mac-packStream (downstream of pack)
cribl-edge-standalone (OrbStack)StatefulSet in orbstack-kubernetes monitoring namespaceAI tool telemetry — Claude Code (OTLP), Gemini Antigravity, VS Codecribl-stream-standalone (OrbStack)
cribl-edge-managed (OrbStack)StatefulSet in orbstack-kubernetesSubset of telemetry tagged for Cribl CloudCribl Cloud
cribl-stream-standalone (OrbStack)StatefulSet in orbstack-kubernetesEdge events + REST poll from cc-stream-github-copilot-rest-ioSplunk HEC
otel-collector (OrbStack)StatefulSet in orbstack-kubernetesOTLP from Claude Code SDK, Bifrost, any in-cluster OTLP sourcecribl-stream-standalone (OrbStack)

The Edge → Stream → Splunk invariant

Across every tier, the architectural rule is the same: Edge collects, Stream routes, Splunk indexes. Edge does not talk directly to Splunk anywhere on this stack. Stream is the only component with Splunk egress. On the OrbStack cluster this is enforced by network policies that lock Edge egress to Stream on HEC port 8088 only; on the homelab Proxmox side the rule is operational (single Stream tier, well-known HEC endpoint), reinforced by firewall rules in terraform-proxmox/modules/firewall/.

Per-tool Cribl Edge packs

The AI-coding-tool packs sit on top of the OrbStack cluster’s cribl-edge-standalone:
PackCollects from
cc-edge-claude-code-otelClaude Code (OTEL hooks)
cc-edge-copilot-otelGitHub Copilot Chat (OTLP gRPC)
cc-edge-vscode-ioVS Code (logs + telemetry)
cc-edge-gemini-antigravity-ioGemini Antigravity
cc-edge-macos-systemmacOS-native system events (archived predecessor)
The macOS host telemetry pack cc-edge-the-mac-pack targets the native macOS Cribl Edge install (not the OrbStack-deployed one) — its exec inputs call macOS-only binaries that need host access, not a Linux container.

REST collectors

PackPollsHosted on
cc-stream-github-copilot-rest-ioGitHub Copilot usage metrics REST API (per-org, per-seat)cribl-stream-standalone (OrbStack)
REST collectors run on Stream rather than Edge because they’re pull-based jobs against authenticated APIs — closer to the routing layer’s responsibility than the host-side capture layer.

OTel collectors

CollectorWhereRole
otel-collector (OrbStack)StatefulSet in orbstack-kubernetesOTLP gRPC/HTTP receiver (ports 4317/4318, NodePorts 30317/30318), forwards to cribl-stream-standalone
Bifrost gatewayStatefulSet in orbstack-kubernetes (bifrost)Multi-provider AI gateway; emits OTLP that the OTel collector picks up
Anything inside the OrbStack cluster that speaks OTLP gets pointed at the in-cluster OTel collector. Anything outside the cluster but on the same Mac (Claude Code, Gemini Antigravity, VS Code) talks to the OTel collector through the NodePort or hands off to the Cribl Edge standalone pack.

Heartbeats

Four healthchecks.io CronJobs run in the OrbStack monitoring namespace as dead-man switches:
CronJobPings when
pipeline-heartbeatCribl Stream is alive and routing
heartbeat-splunkSplunk HEC accepts the test event
heartbeat-edgeCribl Edge processes the test event
heartbeat-otelOTel collector receives a test span
A missed ping is the first signal of a broken pipeline — every other failure mode tends to be silent.

Forwarding to AWS DR

The Splunk install behind cribl-stream is the homelab indexer. tf-splunk-aws provisions the AWS-side DR footprint: same data shape, smaller indexer tier, ready to take a failover. Cribl Stream’s output config can be flipped from the homelab Splunk to the AWS HEC endpoint via a routing-rule change; downstream AI-observability dashboards keep working because they target the same indexes regardless of which Splunk tier is live.

See also

Observability overview

The OTEL → Cribl → Splunk pipeline, end to end.

orbstack-kubernetes

The OrbStack K8s cluster running the macOS-side monitoring stack.

cc-edge-the-mac-pack

The macOS host telemetry pack — what runs on the native Edge install.

ansible-splunk

The Splunk install everything routes into.