Cribl LogStream – Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up here)
Download entire manual as PDF – v.3.1.2

v.2.4.5 Release

6 months ago by Michael Katz

2021-04-20 – Cribl LogStream 2.4.5 – Maintenance Release

New Features

This release provides the following improvements:

New and Enhanced Sources, Destinations, and Collectors

CRIBL-4719 Added a new Azure Blob Storage Collector.

CRIBL-4863 Added a new Google Cloud Storage Collector.

CRIBL-4715 The Splunk HEC Source now recognizes metrics without the event:metric field.

CRIBL-4327 LogStream's AWS SDK is upgraded to v.2.880.0.

CRIBL-4908 LogStream now supports AWS EC2 Instance Metadata Service Version 2 (IMDSv2).

Enhanced Functions

CRIBL-3970 The Rename Function now supports top-level fields and wildcards in Base Fields.

Security and Administration Improvements

CRIBL-4648 Autocomplete/autofill is now disabled for sensitive fields (usernames, tokens, keys, etc.).

CRIBL-4930 Tokens that Splunk HEC rejects as invalid are now logged for debugging, with redaction.

Internal Logging Improvements

CRIBL-4879 HTTP Destinations now write out failed (4xx) requests for inspection.

UI Improvements

CRIBL-4487 Previewed events now have right-side padding.

CRIBL-4632 In regex fields, you can now batch-set multiple flags before the flags pop-up closes.

CRIBL-3482 Changed Dark Mode drop-down (at Settings > General Settings > Display Settings) to a toggle slider.

Deprecated Environment Variables


The following environment variables are deprecated as of LogStream 2.4.5. We plan to remove them as of LogStream 3.0:



This release includes the following fixes:

Startup and Communication Fixes

CRIBL-4799 Setting $CRIBL_VOLUME_DIR on the Master no longer breaks the bootstrap script.

CRIBL-4621 Corrected some Worker Processes' failure to reload Route and Pipeline changes during configuration deployments.

CRIBL-4636 Browsers' JavaScript console no longer logs spurious errors while a user has not yet logged in.

Security and Authentication Fixes

CRIBL-4958 LDAP users' Role mappings now properly handle multiple CN (common name) components within DNs (distinguished names).

CRIBL-4924 In the Certificates page's cert/key fields, the Enter/Return key now properly inserts a newline.

CRIBL-4791 The Splunk TCP Source now redacts invalid authentication tokens when logging them.

CRIBL-4952 Corrected broken Token > Generate button.

CRIBL-4953 Corrected broken paste into password fields.

CRIBL-4991 Corrected paste's failure to overwrite password fields' values.

CRIBL-4943 Corrected S3 Collector > Auto populate from option's treatment of Secret Key from S3 Destinations.

Source, Destinations, and Collectors Fixes

CRIBL-4894 Corrected memory leak and OOM errors on Splunk TCP and Splunk Load Balanced Destinations.

CRIBL-4532 The Splunk HEC Source now properly sets metric inputs' host, source, and sourcetype as dimensions.

CRIBL-4963 Manage Sources pages' Enabled slider now correctly updates the list view.

CRIBL-4874 Moved Multiplexbreaker's high-frequency "flushed stale channels" message to debug level, to allow Worker Processes' logs to rotate properly and prevent memory leaks.

CRIBL-4695 Splunk TCP and Splunk HEC Sources' configuration modals now have consistent tab order.

CRIBL-4840 The S3 Source, in distributed deployments, now properly enforces specifying a Region (unless the Queue entry is a URL or ARN that includes a Region).

CRIBL-4893 The Office 365 Message Trace Source now properly uses the Received field as _time, including in corresponding search filters.

CRIBL-4596 Corrected the Office 365 Message Trace Source's re-running of scheduled jobs.ß

CRIBL-4779 The S3 Collector's S3 bucket field now supports JavaScript expressions, which properly enables the Auto populate from control.

CRIBL-4832 Corrected the Azure Blob Storage Source modal's Enabled slider. Enabling is now enabled.

CRIBL-4792 The Splunk Load Balanced Destination now properly resets active connections after the Auth token field is updated.

CRIBL-4725 On S3, MinIO, and Google Cloud Storage Destinations, we now annotate "Bucket does not exist" error messages with the underlying error.

CRIBL-4881 On Destinations' Status tab, you can now correctly expand Persistent Queue errors.

CRIBL-4566 On the Splunk Single Instance Destination, disambiguated "Persistent Queue engaged" success notification from "Error: sender is blocked" notification.

CRIBL-4939 The Prometheus Destination now includes cribl_host and cribl_wp System fields by default. Cribl recommends keeping these fields onboard, to prevent errors such as sample invalid label, duplicate label name, or out of order.

CRIBL-3800 On all AWS-related Sources and Destinations, renamed the API key field to Access key for clarity.

Functions Fixes

CRIBL-4957 Corrected the C.Text.relativeEntropy() method's loading of models for Lookup tables.

CRIBL-4640 The Clone Function's value fields now support JavaScript expressions.

CRIBL-4750 The Redis Function's Redis URL field now supports and validates redacted, password-only URLs.

Git Integration Fixes

CRIBL-4620 The Git Commit modal now lazy-loads long diffs, to prevent browser lockup.

CRIBL-4622 Corrected the Git Commit & Push button's distribution of global config changes to Worker Groups.

Data Preview, Monitoring, and Logging Fixes

CRIBL-4576 Editing a sample file's name in the Samples modal no longer prematurely changes the name before Save is pressed.

CRIBL-4663 In Preview modals, the Event view now displays events correctly after switching to Table view, then back.

CRIBL-4605 Improved HTTP Destinations' logging of rejected-data errors.

CRIBL-4971 Restored Save button to Log Levels page.

Version Upgrade Fixes

CRIBL-4892 Corrected empty and bigass Settings > Controls > Upgrade modal.

CRIBL-4833 In distributed mode, corrected Upgrade button's red on-hover color.

CRIBL-4834 In distributed mode, realigned Upgrade confirmation text.

Other UX/UI Fixes

CRIBL-4944 Enabled numeric separators at the beginning and end of numeric literals.

CRIBL-4581 On Routes' context menu, after creating or deleting a Route, the Move to Position option now refreshes with current indexes.

CRIBL-4613 The Reuse Connections slider is now consistently placed across AWS-related Sources and Destinations.

CRIBL-4490 Corrected in-app search error when a search token has no Roles.

CRIBL-4882 In Event Breaker Rule modals, restored In tab's zebra stripes.

CRIBL-4858 The Settings > Authentication > Type drop-down no longer displays a (disabled) Cribl Cloud option.

Other Functional Fixes

CRIBL-4922 Corrected SmartGunzip utility's error handling, to prevent components from hanging when trying to decompress an invalid .gz file.

CRIBL-4800 Setting the $CRIBL_VOLUME_DIR environment variable on Docker containers no longer suppresses tailing logs.

CRIBL-4809 The Cribl App for Splunk, if switched to Local Authentication, can now correctly switch back to Splunk Authentication.

Documentation Fixes

CRIBL-4294 Our documentation's former Use Cases and Best Practices sections are merged into a new, more-flexible Techniques & Tips section, which starts with a new Tips and Tricks page.

CRIBL-4431 Added Using REST/API Collectors examples.

CRIBL-4614 Documented more LogStream internal metrics.

CRIBL-4363 Added new Estimating Memory Requirements section.

CRIBL-3368 Expanded System Proxy Configuration instructions, now moved to their own page.

CRIBL-4898 Splunk HEC Source doc now clarifies precedence among event fields, Auth Token fields, and metadata fields

CRIBL-3630 For LogStream Free and One licenses, clarified telemetry requirements and exceptions.

CRIBL-3890 Added a blog post on best practices for chaining LogStream instances.