Cribl - Docs

Getting started with Cribl LogStream

Questions? We'd love to help you! Meet us in #cribl (sign up)

    Guides

v1.4 Release

6 months ago by dritan bitincka

2019-02-19 - Cribl LogStream v1.4 is now available.

What's New


- Structured Parsing & Re-Serializing

  • Added capability to work with structured events in various formats: CSV, K=V Pairs, Extended Log File Format, Common Log Format, and JSON
  • Added capability to extract field or re-write (re-serialize) parsed and modified events to original format
  • Added capability to filter fields based on name, index and value
  • Added out of the box parsing support for the following sources:
    Palo Alto: Traffic, Threat, System and Config events
    AWS: ALB, ELB, VPC Flow Logs, CloudFront, S3 Server Access Logs
    Apache Access: Combined and Common Log Formats

- Event Suppression

  • Added capability suppress (drop) incoming events based on an arbitrary key expression
  • Added capability to mark only suppressed events. Useful for other downstream decisions.

- Splunk HTTP Event Collector Input

  • Added support for accepting events via Splunk HEC.
  • HEC capability supports the /services/collector event-endpoint for JSON-formatted events

- Source and Destination Statuses

  • Added support for real-time status reporting of configured sources and destinations. Various metrics include bytes & events in buffer, bytes & events out, last connect time, and error messages.

- Support for Scripts

  • Added capability to execute scripts on demand
  • This enables Cribl admins to fire automation tasks directly from the UI. (e.g., on config change)

- Enhanced Data Preview

  • Added support for end-to-end for previewing data transformations
  • Preview is now no longer limited to a single pipeline

Other Improvements or Changes


  • Added C.Net.cidrMatch(), C.Net.ipv6Normalize(), C.Net.isPrivate() functions to help with manipulating of network related fields/events
  • Added C.Text.entropy(), C.Text.relativeEntropy(), C.Text.hashCode() functions to help with text hashcode and entropy calculations.
  • General UX improvements and Fixes

Cribl Command Line Changes

  • Added command line options to change mode: node cribl/bin/cribl.bundle.js :

mode-searchhead - Configure Cribl for running on a Splunk Search Head. This will disable all event processing routes and pipelines.
mode-hwf - Configure Cribl for running on a Splunk Heavy Forwarder. Default mode.
mode-idx - Configure Cribl for running in a Splunk Indexer (demo package only).