Cribl LogStream – Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up here)
Download entire manual as PDF – v.3.1.2

v2.4.3 Release

7 months ago by Michael Katz

2021-03-09 - Cribl LogStream 2.4.3 – Maintenance Release

New Features

This release provides the following improvements:

New and Enhanced Sources

CRIBL-4046 Office 365 Message Trace data can now be ingested via a native Source.

CRIBL-4317 AWS Sources now provide options to reuse HTTP connections, and to establish TLS connections to servers with self-signed certs.

CRIBL-4438 For Sources that support TLS, enabling the TLS Validate client certs toggle is now dependent on enabling Authenticate Client (mutual auth).

CRIBL-4336 The AppScope Source now parses AppScope metric events into LogStream metric events.

Enhanced Collectors

CRIBL-3184 The REST Collector now supports pagination of returned results.

CRIBL-3676 Job artifacts' names now include their run type.

Enhanced Functions

CRIBL-2997 The Aggregations Function now provides internal list(), median(), and values() functions.

CRIBL-1374 Within the Aggregations Function, Group by Fields now supports wildcards.

CRIBL-4580 The Aggregations Function now provides an option to omit null values.

CRIBL-4556 The Regex Extract Function can now create array fields.

CRIBL-3202 Grok patterns now provide a preview/validation modal like regex rules.

CRIBL-3549 For Functions like Parser and Rename, the preview/validation modal now evaluates JavaScript expressions against a richer context of input data.

CRIBL-3894 Corrected how events display in the Regex Extract and Mask Functions' preview/validation modals.

Better Git Integration

CRIBL-4032 You can now select/deselect individual files to commit via Git.

CRIBL-3351 The Commit Changes modal now provides an Undo button, to discard uncommitted changes.

CRIBL-2160 The Monitoring > Logs page now includes Git actions.

CRIBL-4552 The Username field now allows administrators to override the OpenID default identifier format.

Enhanced Data Preview, Sampling, Monitoring, and Search

CRIBL-3245 You can now create new sample files at intermediate stages, such as previewing the result of a pre-processing Pipeline.

CRIBL-2100 You can now create a datagen from an existing data sample file.

CRIBL-4000 The Preview pane now displays a warning icon and tooltip when an event lacks a valid _time field (i.e., UNIX epoch time, in seconds resolution).

CRIBL-3793 The Monitoring page now displays partial (most-recent) buckets as dotted lines, to be less scary.

CRIBL-3618 Searching against Routes and Pipelines now includes the contents of Description fields and Comment Functions

UX/UI Improvements

CRIBL-3909 Pipelines now automatically scroll down to a newly added Function, to prevent accidental overwriting of existing Functions' fields.

CRIBL-4180 You can now press Ctrl+Enter (Linux/Windows) or Cmd+Return (Mac OS) to submit most UI forms.

CRIBL-3920 The CLI now provides more-specific error messages.


This release includes the following fixes:

Security and Authentication Fixes

CRIBL-4315 The Settings > Authentication > LDAP > Role Mapping section now allows adding mappings for similar (non-duplicate) external group names without deleting existing mappings.

CRIBL-4326 In General > TLS Settings, the Private Key Path field now provides validation and error messaging.

CRIBL-4524 You can now enter multiple authentication tokens on Splunk HEC and Splunk TCP Sources, to prevent broken data flow upon upgrade to LogStream 2.4.x.

CRIBL-4427 The Splunk HEC Source now recognizes valid tokens with Basic Authentication.

CRIBL-4395 The LogStream Download page now provides FIPS-compliant checksums.

Startup and Configuration Fixes

CRIBL-4519 Corrected failure to initialize Git remote repo upon startup, after upgrading to LogStream 2.4.2.

CRIBL-4452 Addressed "Possible EventEmitter memory leak detected" error when attempting to bind to a bound port on startup.

CRIBL-4454 Addressed "Cannot read property 'getReader' of undefined" error when attempting to bind to a bound port on startup.

CRIBL-4571 Relaxed the restart time for Workers shut down by the Linux OOM killer.

CRIBL-4488 The bootstrap script now provides an option to disable TLS.

CRIBL-4592 In General Settings > Job Limits, corrected the rejection of the Concurrent Scheduled Job Limit field's default -2 value.

CRIBL-4237 LogStream now minimizes Workers' unintended restarts when managed by systemd.

CRIBL-4051 The cribl mode‑worker CLI command now echoes complete usage options.

CRIBL-3497UI configuration options now error-check for integers where required.

CRIBL-4535 Expression fields now warn about type mismatches rather than arbitrarily assigning new types to values.

CRIBL-4443 Corrected Cribl App for Splunk's replication settings in distsearch.conf.

CRIBL-4418 Corrected version-update errors reading "message":"Entity with "NEW_VERSION" ID already exists."

Source, Destinations, and Collectors Fixes

CRIBL-4204 All HTTP Sources provide a new Advanced Settings > Max active requests setting, to prevent overflow and hanging if Destinations are blocked.

CRIBL-4584 Corrected ElasticSearch Destination's data output to Filebeat (and associated diagnostics) when using index templates.

CRIBL-4617 Corrected the detection of downstream Elasticsearch version when Elasticsearch is not running.

CRIBL-4448 Corrected the Elasticsearch API Source's default endpoint.

CRIBL-4432 On the Splunk Load Balanced Destination, corrected DNS resolution and indexer discovery to prevent unintended persistent queueing.

CRIBL-4546 In the Splunk HEC Source, corrected the Token field to behave as a standard password field.

CRIBL-4263 Corrected the AppScope Source's display of fields from libscope.

CRIBL-4414 Corrected a bug in the Splunk Load Balanced Destination that incorrectly displayed a 404 status for Workers.

CRIBL-4455 Extended New Relic Destination's retry interval to correct handling of log data.

CRIBL-4415 Corrected Filesystem Destination's blank Output Location column.

CRIBL-4233 Destinations' Output ID fields now provide clearer error messaging.

CRIBL-3338 Corrected the validation of POST /jobs requests.

Routes and Pipelines Fixes

CRIBL-4611 In post-processing Pipelines, corrected the Aggregations Function's misdirection of data to the Default Destination, rather than to the Pipeline's attached Destination.

CRIBL-4526 A Route's empty Filter field now defaults to false upon save, and no longer breaks other Routes.

CRIBL-4401 Shrank Routes page's Show All | Enabled | Disabled dropdown to avoid overlap with Events selector.

CRIBL-4342 In Routes > Filter validation modal, prevented suggestions pop-up from overlapping editor fields.

CRIBL-4293 On the Pipelines page, enabled selection of the CriblMetrics Route.

Event Breaker and Function Fixes

CRIBL-4569 On Safari, corrected Event Breakers' failure to show OUT events.

CRIBL-4390 Corrected the CSV Event Breaker's unintended regeneration of _raw field via serialization.

CRIBL-4616 Corrected ESC key's closing of parent Event Breaker modal along with focused child modal.

CRIBL-4376 Corrected CSV Event Breaker > Rules editor modal's display of embedded newlines.

CRIBL-4498 Corrected the Parser Function's unintended stringification of undefined values.

CRIBL-4405 The Lookup Function's Lookup and Output field names are now error-checked for special characters.

CRIBL-4400 In Functions with + Add Field buttons, newly added rows now promptly validate entry of required values.

Data Preview and Monitoring Fixes

CRIBL-4445 In the Add Sample Data modal, pressing Esc now prompts to save pending changes.

CRIBL-4568 In the Preview pane, corrected the behavior of the Show Internal Fields and Show Dropped Events toggles.

CRIBL-4209 A renamed sample data file now properly appears in the files list, without requiring a browser refresh.

CRIBL-4599 Improved data-flow diagrams under Preview Simple and Preview Full tooltips.

CRIBL-4399 On the Monitoring > Logs page, the search box's history button now retains its selected or deselected state.

CRIBL-4168 Monitoring > Logs now retains previous timezone selection when switching to a different log.

CRIBL-2285 In Settings > Logging > Levels page, corrected errors triggered by changing log level to info (or to other non-default levels).

CRIBL-4638 Corrected the Capture modal's duplicate vertical scrollbars.

Other UX/UI Fixes

CRIBL-4421 Corrected column sorting on multiple pages.

CRIBL-4422 Corrected the negative row count displayed when re-saving Lookup tables in text editor.

CRIBL-4381 In Distributed > Master Settings, corrected behavior of disabled Worker UI access toggle.

CRIBL-4484 Corrected the unintended lowercasing of error messages.

CRIBL-2472 Corrected the unintended lowercasing of regex in validation error messages.

CRIBL-4207 The Live button is now grayed out on disabled Routes and Pipelines.

CRIBL-2903 Corrected Settings > Diagnostics page's hidden sidebars after switches between dark and light mode.

CRIBL-4226 Corrected the Git diff view's hiding of single-line changes when the diff gets long.

CRIBL-4486 Corrected the overlap of Git commit buttons.

CRIBL-4492 On S3-based Destinations, corrected the wording of Key prefix fields' tooltips.

CRIBL-4216 Clarified the Aggregations Function's tooltips.

CRIBL-4370 In Source modals, corrected Enabled button's overlap with scroll bars.

CRIBL-4594 In Collectors > Discover results, corrected the display of List of Files rows.

CRIBL-4560 Corrected the Save and Cancel buttons' overlap when resaving a sample data file or datagen.

CRIBL-4536 browse/CRIBL-4560) Corrected Save and Cancel buttons' misalignment when cloning a sample data file or datagen.

CRIBL-4098 The Pipelines page's header has been redesigned.

All About the Copy Button

CRIBL-4520 Corrected Event Breaker field's overlay of Copy button over Flags menu.

CRIBL-4497 Corrected Copy button's position in Event Breaker Rulesets.

CRIBL-4451, CRIBL-4464 Corrected Copy button's overlap of Hide/Show Password button.

CRIBL-4608 Corrected the Aggregations Function's Copy button position.

CRIBL-4619 Corrected the Copy button's behavior in Collector settings > Job Details.

CRIBL-4579 Corrected the Copy button's position on Auth tokens > Description fields.

CRIBL-4589 Corrected Copy buttons' overlap of Certificates modal's field boundaries. (Copy buttons have definitely been biting us lately.)

Documentation Fixes

CRIBL-3739 Corrected API docs' display of Collection Jobs endpoints.

CRIBL-3451 Corrected API docs to display Licenses API.

CRIBL-4610 TLS/SSL docs: Added guidance on validating Common Names in regex .

CRIBL-3023 Clarified Encryption and Decryption docs.