Cribl LogStream – Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up here)
Download entire manual as PDF – v.3.1.2

v.3.0.2 Release

4 months ago by Michael Katz

2021-06-22 – Cribl LogStream 3.0.2 – Maintenance Release

New Features

This release provides the following improvements:

CRIBL-5135 LogStream's Prometheus Source now provides authentication options.

CRIBL-5325 Kafka-based Sources (Kafka and Azure Event Hubs) now expose timeout options in Advanced Settings.

CRIBL-5352 The REST Collector's Discover phase now supports XML responses.

CRIBL-4521 The REST Collector now supports RFC 5988 (Web-linking) pagination.

CRIBL-5312 The Numerify Function provides now provides a Filter expression field, which can be used to list specific fields to numerify.

CRIBL-4582 The Aggregations Function > Aggregates field now supports top() and median() methods.

CRIBL-5448 To better utilize available computing resources, we've increased the minimum number of Worker Processes per Worker Node from 1 to 2.


This release includes the following fixes:

Security and Authentication Fixes

CRIBL-5096 The cluster port's TLS key passphrase is now encrypted on Workers and on the Leader.

CRIBL-5207 Removed browser password suggestions from Groups' Settings > Security > Secrets > Value field.

CRIBL-5020 the Settings > Security > Certificates page, LogStream now properly restarts after changes to a certificate in use.

CRIBL-5021 On the Settings > Security > Certificates page, changing a certificate in use no longer changes Referenced objects' status from Yes to No.

CRIBL-5477 In the New Certificates modal, several fields now clearly indicate options to drag and drop, or upload, cert/key files.

CRIBL-5481 The Splunk TCP Source now correctly handles Splunk Universal Forwarder's sending of an S2S token in the initial event.

CRIBL-5431 Corrected line-breaking errors on Splunk Universal Forwarder data sent to Splunk TCP Source with S2S tokens.

CRIBL-5279 LogStream now properly authenticates against HashiCorp Vault using credentials files configured for IAM users at Settings > Security > KMS,

CRIBL-5394 The Vault KMS's health check is now optional, with a configurable endpoint.

CRIBL-5376 Corrected breakage of Leader Node's execution permission after upgrades via the UI.

CRIBL-5306 Users with user Role can now view Settings > System Information.

CRIBL-5356 Corrected sticky "unsaved changes" dialog upon session logout.

Startup and Communication Fixes

CRIBL-5255 The LogStream server and UI now correctly restart with the CRIBL_DIST_MODE=leader environment variable.

CRIBL-5460 Responses from /system/info endpoint are now faster, and now omit environment variables.

CRIBL-4889 Corrected Workers' startup error: "Invalid URL: undefined. Falling back to file config."

Source, Collectors, and Destinations Fixes

CRIBL-5515 The Splunk TCP Source now correctly sets key-value pairs from _meta fields sent by Splunk Universal Forwarder.

CRIBL-5040 Corrected the Splunk TCP Source's processing of events chained from Splunk Universal Forwarder > Heavy Forwarder.

CRIBL-5430 On the Google Pub/Sub Source, corrected error that broke data flow.

CRIBL-4784 Corrected S3 Source's Total VisibilityTimeout errors on SQS queues.

CRIBL-5243 Corrected Office 365 Activity Source error when client secret contained a backtick.

CRIBL-5249 Corrected Office 365 Message Trace Source's failure to collect discovered events.

CRIBL-5402 The cribl‑metrics_rollup pre-processing Pipeline now appends an (optional) Eval Function to remove sourcetype fields from cribl.logstream.sourcetype.* internal metrics.

CRIBL-5461 Corrected UI errors when accessing Pre‑Processing and Post‑Processing settings.

CRIBL-5497 Extended Kafka Source's and Destination's Logging Level to KafkaJS logger.

CRIBL-4993 Collectors' Preview modal is now consistently displayed.

CRIBL-4985 Corrected Azure Blob and Google Cloud Collectors' unintended discovery of files in subdirectories even when the Recursive option was set to No.

CRIBL-4996 Filesystem and S3-based Destinations (S3, Azure Blob Storage, MinIO) expose a new Remove staging dirs option to prevent the proliferation of orphaned, empty staging directories.

Functions Fixes

CRIBL-5102 Corrected suppression of sourcetype metrics when CriblMetrics Source is enabled and cribl_metrics_rollup pre-processing Pipeline is attached to a Source.

CRIBL-5316 In Rename Functions using a Rename expression, corrected unhandledRejection errors.

CRIBL-5107 In Rename Functions, corrected Rename expression field's inability to access other fields via event.<fieldName>.

CRIBL-5284 In Pipelines' + Function drop-down, made Function links consistently clickable.

CRIBL-5322 The UI now propoerly indicates that the Reverse DNS and and Prometheus Publisher Functions are deprecated.

Packs Fixes

CRIBL-5486 Corrected "pattern not defined" errors on Grok Functions in Packs.

CRIBL-5434 Corrected upgrade errors on Packs with overridden names.

CRIBL-5401 Corrected "undefined is not iterable" error when accessing a Pack from a Route.

CRIBL-5260 Clarified Packs' import/export UI messaging.

CRIBL-5289 Corrected mysterious truncated "p" in Packs' breadcrumbs.

CRIBL-5267 Clarified error message upon trying to create a Pack with an invalid version number.

CRIBL-5283 Within a Pack, switching between the Routes and Pipelines pages no longer toggles the Samples context between All and Pack Only.

Version Upgrades Fixes

CRIBL-5217 Automated upgrades now follow instances' custom directory names, rather than hard-coding cribl.

CRIBL-5468 Saves to upgrade settings are no longer validated against unrelated schema items.

CRIBL-5238 LogStream now more-gracefully handles cases where backups directory does not exist.

CRIBL-5212 The Upgrade Worker Groups > View button now displays the correct Job Inspector tab.

CRIBL-4904 Settings > Upgrade controls are now displayed only on the Leader, as intended.

CRIBL-5270 Switching the Package source between CDN and Path no longer causes the Save/Cancel buttons to blink.

Git Integration Fixes

CRIBL-4726 Lookup file names with spaces no longer block commits.

CRIBL-5337 Git commit failures against a remote repo no longer trigger nonspecific "API error" messages.

CRIBL-5093, CRIBL-5339 Corrected delay and inconsistency in displaying combined/collapsed Commit and Deploy buttons.

Data Preview, Monitoring, and Logging Fixes

CRIBL-5345 Previewing Live data after clearing filters no longer triggers "Cannot read property 'id' of null" error.

CRIBL-5158 Uploading sample data files now respects Workers' configured Settings > Limits > Max sample size limit, with clear messaging when the limit causes file truncation.

CRIBL-5240 Corrected the Preview pane's failure to display winlogbeat fields unril the source field was expanded.

CRIBL-5452 Corrected the display of sample events' Show more/Show less links.

CRIBL-5245 When capturing data from the Routes page, LogStream no longer prematurely displays a "You have unsaved changes" dialog.

CRIBL-5467 Corrected save errors on Settings > Logging > Levels page.

CRIBL-5310 Corrected multiple display issues on Settings > Logging > Levels page.

Other Functional Fixes

CRIBL-5227 Bulk deletion of objects (e.g., Packs) now shows items that were preserved to avoid dependency conflicts.

CRIBL-5098 Corrected Cribl App for Splunk's failure to retrieve Worker logs.

Other UX/UI Fixes

CRIBL-5501 Added Group Selector drop-down to Leader > Worker UI orange header.

CRIBL-5285 Corrected masked text in large free-text fields.

CRIBL-5215 System error messages are no longer masked by an expanded left nav.

CRIBL-5313 Corrected the Paste Pipeline modal's display.

CRIBL-5405 Headers now immediately obey color switch to dark mode.

CRIBL-5375 The Group selector's border colors now obey dark mode.

CRIBL-5374 Improved the Git diff modal's colors for better visibility in dark mode.

CRIBL-5234 Corrected the Groups page's loading delay.

CRIBL-5367 The Office 365 Activity Source's Publisher Identifier field's tooltip no longer shows raw HTML.

CRIBL-5287 The Confirm password field now correctly shows a "Required" asterisk.

CRIBL-5307 The Monitoring page's Free Memory and CPU Load Average displays are now vertically centered when zoomed up.

Documentation Fixes

CRIBL-4240 Documentation on pull-based Sources now clarifies how LogStream retrieves data.