Cribl LogStream – Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up here)
Download entire manual as PDF – v.3.1.2

v2.4.1 Release

8 months ago by Michael Katz

2021-02-03 - Cribl LogStream 2.4.1 – Maintenance Release

New Features

This release provides the following enhancements:

Enhanced Event Breakers

You can now define Event Breaker Rules of Type: CSV, to extract fields in CSV streams that include a header line.

You can now define Event Breaker Rules of Type: Timestamp, to break events at the beginning of any line in which LogStream finds a timestamp.

Enhanced Sources, Destinations, and Collectors

Sources and Destinations with full TLS support now enable you to (optionally) specify minimum and/or maximum TLS versions for connections.

Splunk Load Balanced Destinations now allow you to constrain the number of concurrent indexer connections, per Worker Process, to limit memory consumption.

Splunk Sources' connection open/close logs are moved to the debug level.

The Output Router Destination's Rules table now provides a Description column.

The S3 Collector, upon Preview, now provides more-detailed error messaging about incorrect connection settings.

Enhanced Functions

The Numerify Function now provides a Format option to round or truncate extracted numeric values.

The Publish Metrics Function now supports adding, and removing, metrics as well as dimensions.

The Auto Timestamp Function's Strptime format field is now a combo box, offering an (optional) drop-down to select among predefined formats.

UX/UI and Logging Improvements

Multiple fields now display a Copy button upon hover.

You can now use filter expressions to search within previewed and captured data samples.

The Capture Sample Data modal has been Marie Kondo'ed (decluttered). Sample File Settings are now displayed only after selecting Save as Sample File.

LogStream now protects against duplicate datagen and sample file names.

Pipelines now provide clearer visual indicators to separate adjacent and focused Functions.

Pipelines now provide better error handling and warnings around invalid configurations.

Mappings Rulesets now have an Active indicator, and warn that saving changes will take effect immediately.

The Lookups page now displays row counts per lookup file.

A new log event indicates when Workers pull a configuration bundle from the Master.

LogStream no longer returns an HTTP response code 200 when malformed JSON events are received but then dropped.


This release includes the following fixes:

Connection and Startup Fixes

CRIBL-4384 Workers with compression enabled can now connect to the Master after upgrade to v.2.4.1.

CRIBL-4270 Corrected unintended re‑encryption of the S3 Source's auth secret key, which blocked data input.

CRIBL-4265 Google Cloud Storage Destination now supplies the endpoint, as intended.

CRIBL-4343 Corrected the Master process' failure due to missing cribl/state directory.

CRIBL-4257 Corrected the Cribl Splunk app's unintended persistence of free license files in SPLUNK_HOME after uninstall.

CRIBL-4350 Corrected the Kafka Destination's support for compression.

CRIBL-4126 Streaming Sources now protect Worker Processes against connection storms.

CRIBL-3402 Corrected unintended retries when a Worker Process shuts down on API exit.

Data-Flow and Functional Fixes

CRIBL-4334 The MinIO Destination's MinIO bucket name field now uses a JavaScript expression.

CRIBL-4225 Corrected logs' handling of multi-line content.

CRIBL-4274 Corrected the Prometheus Source's unintended passing of metric values as strings.

CRIBL-4268 Corrected the New Relic Destination's failure to post metrics to New Relic dashboards.

CRIBL-4260 Corrected Splunk Destinations' unintended indexing of LogStream heartbeat events.

CRIBL-4247 Corrected the C.Text.parseWinEvent method's failure to parse the EventData.Data field.

CRIBL-4231 Corrected the unintended flattening of fields specified in the Aggregations Function > Group by Fields.

CRIBL-4045 Corrected datagen creation for Windows Event Logs where a timestamp occupies the entire first line.

CRIBL-4249 Corrected the Capture Sample Data modal's failure to copy custom Filter Expression values from Routes (with fallback to the default true entry).

CRIBL-4341 In Splunk HEC Sources, an empty Allowed Indexes field is no longer used to validate index values.

CRIBL-4146 Keyword search now filters on the Cribl Internal Source, as intended.

Error-Checking Fixes

CRIBL-4303 Added checks against "unhandledRejection" errors when the outputs.yml file contains broken configuration.

CRIBL-4252 Added a path-name length check to prevent EADDRINUSE errors.

CRIBL-2996 LogStream now forces any configured Maximum TLS version to be no lower than any Minimum TLS version configured on the same object.

CRIBL-4269 Removed ‑b' flag from git status` command, to prevent errors

CRIBL-2900 On the MinIO and S3 Destinations, the Output ID field now interactively validates users' entries for accepted format.

CRIBL-4349 Improved error messaging when LDAP is configured with wrong User Name field.

UX/UI Fixes

Observability UX/UI Fixes

CRIBL-4306 Restored Master's access to Sources' configuration and Live status when viewing Workers' UI.

CRIBL-4149 Corrected the S3 Source's incorrect green status display when LogStream cannot delete SQS events from the queue. The status now displays as yellow.

CRIBL-4259 Restored UI configuration of Worker Nodes' Local Users.

Preview, Capture, and Samples UX/UI Fixes

CRIBL-4319 Restored full Preview when viewing a Worker's UI from the Master.

CRIBL-4378 In Preview and Capture modals, the All and None toggle buttons now work as intended.

CRIBL-4201 Corrected the Preview pane's unintended display of + expansion symbols on single values.

CRIBL-4351 Corrected the sorting of Sample Files by the File Name column.

Miscellaneous UX/UI Fixes

CRIBL-4354 Corrected Knowledge > Lookups text editor's failure to create a new file, triggering "no such file or directory" error.

CRIBL-4344 Corrected error when pressing Return/Enter on sortable list items.

CRIBL-4320 Restored the Pipelines page's missing Actions column header.

CRIBL-4289 Corrected the Filters pop-up's blocking of the underlying Filter field.

CRIBL-4330 When a collector Run fails, clicking on Logs no longer hides the modal's context.

CRIBL-4318 Corrected log search bar's behavior in Master mode.

CRIBL-4309 Corrected timestamp highlighting in the Event Breaker UI.

CRIBL-4073 The Settings > Access Management > Local Users > Password field is now properly labeled as Required (*).

CRIBL-4105 Settings > Custom Login Page > Logo file now enforces and error-checks images' maximum file size, maximum dimensions, and .png file format.

CRIBL-4075 Pressing the Esc key now consistently closes modals (interposing a confirmation dialog for unsaved changes).

CRIBL-4230 Corrected Grok Patterns' unintended display of a Save button on unaltered files.

CRIBL-2902 In Dark Mode, corrected the random display of ••• symbols in the top menu bar. Aliens were not involved.

Documentation and In-App Help Fixes

CRIBL-2835 Corrected API Docs' display in Dark Mode.

CRIBL-4251 Restored the in-app display of Destinations' docs.

CRIBL-4331 For SQS and S3 Sources and Destinations, documentation now clarifies that several fields' values must be entered as single-quoted JavaScript expressions.

CRIBL-4296 Corrected API Docs' rendering of metrics and status endpoints.