Sample Data Preview is a LogStream feature that allows for visual inspection of events as they make their trip into a Pipeline. It helps you shape and control events before they're delivered to a Destination, as well as assisting with troubleshooting LogStream Functions.
Preview works by taking a set of Sample events, passing them through the Pipeline, and displaying the result in a separate pane. Any time a Function is modified, added, or removed, the Pipeline changes, and so does its displayed output.
While you're in a Pipeline, you can add samples through one of the supported options: Paste, Attach, or Capture New. The Paste and Attach options work with content that needs to be broken into events, while the Capture New option works with events only.
When you click on the corresponding option, you'll be presented with a modal like the one shown below.
The Capture New modal is slightly different – it does not require event breaking.
This is where the content of the paste (or uploaded file) is displayed.
An Event Breaker is a regular expression that tells Cribl LogStream how to break the file or pasted content into events. Breaking will occur at the start of the match. Cribl LogStream ships with several common breaker patterns out of the box, but you can also configure custom breakers. The UI here is interactive, and you can iterate until you find the exact pattern.
The Fields section enables users to add, or overwrite. key/value pairs on the sample.
The Preview pane offers two display options for the event: Event and Table. (You can also download data as JSON or NDJSON, using the Advanced Settings menu at the top right.) Each format can be useful, depending on the type of data you are previewing.
In the Advanced Settings menu's Timeout (sec) and Memory (MB) fields, you can increase the defaults to adjust for cases where very large data samples fail to load. For example, you might increase the Timeout (sec) to
30 and the Memory (MB) to
As you add more samples to your system, you can easily access them via the Samples drop-down near the top right, under Quick Stats.
You can also manage, clone/modify, and delete samples via the Samples tab below.
As data traverses Functions in a Pipeline, events can be modified, and some might be dropped altogether. The OUT tab indicates changes using this color coding:
Dropped events: When events are dropped, the OUT tab displays them as grayed-out text, with strikethrough. You can control their display using the Advanced Settings menu's Show Dropped Events slider.
Added fields: When LogStream's processing adds new fields, these fields are highlighted green. You can control these fields' display using the Select Fields drop-down.
Redacted fields: These fields are highlighted amber.
Deleted fields: These fields are highlighted red.
Updated 2 months ago