Cribl LogStream – Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up)
Download entire manual as PDF - v2.4.2

Data Preview

Sample Data Preview is a LogStream feature that allows for visual inspection of events as they make their trip into a Pipeline. It helps you shape and control events before they're delivered to a Destination, as well as assisting with troubleshooting LogStream Functions.

Preview works by taking a set of Sample events, passing them through the Pipeline, and displaying the result in a separate pane. Any time a Function is modified, added, or removed, the Pipeline changes, and so does its displayed output.

Preview options

While you're in a Pipeline, you can add samples through one of the supported options: Paste, Attach, or Capture New. The Paste and Attach options work with content that needs to be broken into events, while the Capture New option works with events only.

Adding Sample Data (Using Paste as an Example)

When you click on the corresponding option, you'll be presented with a modal like the one shown below.

Add Sample Data modal

📘

The Capture New modal is slightly different – it does not require event breaking.

Paste Area

This is where the content of the paste (or uploaded file) is displayed.

Event Breaker Settings

An Event Breaker is a regular expression that tells Cribl LogStream how to break the file or pasted content into events. Breaking will occur at the start of the match. Cribl LogStream ships with several common breaker patterns out of the box, but you can also configure custom breakers. The UI here is interactive, and you can iterate until you find the exact pattern.

Fields

The Fields section enables users to add, or overwrite. key/value pairs on the sample.

IN Tab: Displaying Samples on the Way IN to the Pipeline

The Preview pane offers two display options for the event: Event and Table. (You can also download data as JSON or NDJSON, using the Advanced Settings menu at the top right.) Each format can be useful, depending on the type of data you are previewing.

Event, Table, and Advanced options

In the Advanced Settings menu's Timeout (sec) and Memory (MB) fields, you can increase the defaults to adjust for cases where very large data samples fail to load. For example, you might increase the Timeout (sec) to 30 and the Memory (MB) to 3048.

As you add more samples to your system, you can easily access them via the Samples drop-down near the top right, under Quick Stats.

Selecting an existing sample

You can also manage, clone/modify, and delete samples via the Samples tab below.

OUT Tab: Displaying Samples on the Way OUT of the Pipeline

As data traverses Functions in a Pipeline, events can be modified, and some might be dropped altogether. The OUT tab indicates changes using this color coding:

  • Dropped events: When events are dropped, the OUT tab displays them as grayed-out text, with strikethrough. You can control their display using the Advanced Settings menu's Show Dropped Events slider.

  • Added fields: When LogStream's processing adds new fields, these fields are highlighted green. You can control these fields' display using the Select Fields drop-down.

  • Redacted fields: These fields are highlighted amber.

  • Deleted fields: These fields are highlighted red.

Dropped and added fields in a Pipeline's output

Updated 2 months ago

Data Preview


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.