Cribl LogStream – Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up here)
Download entire manual as PDF – v.3.1.2

Cribl LogStream 2.2

about a year ago by dritan bitincka

2020-06-15 - Cribl LogStream 2.2 - GA Release

New Features


Data Collectors

  • Engineered from the ground up a centrally managed, distributed data collection framework.
  • Added support for ad hoc, distributed collection of data from remote or local filesystems.
  • Added support for ad hoc, distributed collection of data from Amazon S3 or S3-compatible stores.
  • Added support for ad hoc, distributed scripted collection of data using custom scripts.
  • More collectors coming on next release.

Distributed Management: New Features and Improvements

  • Added support for reverting to a previous config version from the UI.
  • Added support for viewing a Worker's UI from within the Master.
  • Added basic stats for Worker groups and improved config version and status indicators.
  • Improved navigation across Worker Groups and their respecitve Workers.

New Sources

  • HTTP: Split out Splunk HEC and Elasticsearch Bulk into individual Sources.
  • Splunk HEC Raw: Added support for receiving data via HEC's raw endpoint.
  • TCP: Added support for receiving raw data over TCP.

New Destinations

  • Syslog UDP: Added support for sending events out over Syslog UDP.
  • Minio: Added support for sending objects to Minio using S3-compatible API.

New Logging Management

  • Added support for fine-grained control and management of log levels or all logging channels.
  • Added redaction capabilities for sensitive strings in log fields.

New Diag Service

  • New user experience for generating diagnostic bundles.
  • Added in-product support for diagnostic bundle generation and direct sharing with Cribl Support team.

Troubleshootability: New Features and Improvements

  • Added a newly designed Logs interface to support centralized searching of logs (from the Master).
  • Added native support for fully structured JavaScript expression and timerange filtering of logs.
  • Added support for contextual status, metrics, log and live capture of real-time data in Sources and Destinations.
  • Added ability to run Tests on Sources to verify configs, settings etc.

Working With Data: New Features and Improvements

  • Added support for invoking custom external commands for S3 and TCP binary Sources.
  • Added support for adding Fields (metadata) at the Source level.
  • Added support multiple regexes in Regex Filter function.
  • Added support for multiple IP and Result fields in GeoIP function.
  • Added native support for breaking array files into individual events. E.g., CloudTrail logs.
  • Added native support for processing files with headers. E.g., Bro, IIS logs etc.
  • Added a new function, Unroll, to help break arbitrary multi-line events.

UX/UI: New Features and improvements

  • Newly designed Home page, highlighting recent actions and other shortcuts.
  • Newly designed Sources and Destinations pages.
  • Redesign and functional simplification of Pipelines pane.
  • Improved UI presentation of metric events, highlighting values and dimensions.
  • Added historical typeahead assist for Capture filter expressions.

Other Improvements or Changes


  • A large number of general UX improvements.
  • Sped up rendering of Routes and Pipelines lists to support hundreds of rows.
  • Improved UX on functions that require filling out long lists of inputs.
  • Improved discoverability of Input and Global Variable strings.
  • Simplified UI, where possible, by removing double negatives (e.g., disable:false vs. enable:true).
  • Added support for a combined Commit & Deploy action.
  • Added support for selectively forwarding Worker metrics (Master vs. CriblMetricsIn).
  • Optimized connection and write timeout settings for various destinations.
  • Optimized and much faster CIDR-based lookups.
  • Optimized Persistent Queue default settings.
  • Improved throttling to apply at Worker/Node level as opposed to Worker Process level.
  • Upgraded internal engine to Node 12 with LTS support.
  • Added support for TLS 1.3.
  • Changed default worker process count to -2.
  • Enabled rolling restart of worker processes, to increase the availability of network ports.
  • Upgraded telemetry endpoint to point to cdn.cribl.io.
  • Improved and enhanced default Event Breaker to better support multiline events.
  • Added support for default value in Lookup function.
  • Various performance and optimizations across the board.
  • Shipped a new license that expires on: 2020-09-15T00:00:00+00:00