Cribl LogStream ā€“ Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up)
Download entire manual as PDF - v2.3.3

Data Preview

Sample Data Preview is a LogStream feature that allows for visual inspection of events as they make their trip into a Pipeline. ItĀ helps you shape and control events before they're delivered to a Destination, as well as assisting with troubleshooting LogStream Functions.

Preview works by taking a set of Sample events, passing them through the Pipeline, and displaying the result in a separate pane. Any time a Function is modified, added, or removed, the Pipeline changes, and so does its displayed output.

Preview options

While you're in a Pipeline, you can add samples through one of the supported options: Paste, Attach, or CaptureĀ New. The Paste and Attach options work with content that needs to be broken into events, while the CaptureĀ New option works with events only.

Adding Sample Data (Using Paste as an Example)

When you click on the corresponding option, you'll be presented with a modal like the one shown below.

Add Sample Data modal

šŸ“˜

The Capture New modal is slightly different ā€“ it does not require event breaking.

Paste Area

This is where the content of the paste (or uploaded file) is displayed.

Event Breaker Settings

An Event Breaker is a regular expression that tells Cribl LogStream how to break the file or pasted content into events. Breaking will occur at the start of the match. Cribl LogStream ships with several common breaker patterns out of the box, but you can also configure custom breakers. The UI here is interactive, and you can iterate until you find the exact pattern.

Fields

The Fields section enables users to add, or overwrite. key/value pairs on the sample.

In Tab: Displaying Samples on the Way IN to the Pipeline

There are two display options for the event: Event and Table. (You can also download data as JSON or NDJSON, using the AdvancedĀ Settings menu at the top right.) Each format can be useful, depending on the type of data you are previewing.

Event, Table, and Advanced options

In the AdvancedĀ Settings menu's TimeoutĀ (sec) and MemoryĀ (MB) fields, you can increase the defaults to adjust for cases where very large data samples fail to load. For example, you might increase the TimeoutĀ (sec) to 30 and the MemoryĀ (MB) to 3048.

As you add more samples to your system, you can easily access them via the Samples drop-down near the top right, under Quick Stats.

Selecting an existing sample

You can also manage, clone/modify, and delete samples via the Samples tab below.

Out Tab: Displaying Samples on the Way OUT of the Pipeline

As data traverses Functions in a Pipeline, events can be modified, and some might be dropped altogether. When they're dropped, the Out tab displays them as grayed-out text, with strikethrough. You can control their display using the Advanced Settings menu's Show Dropped Events slider.

When LogStream's processing adds new fields, these fields are highlighted green. You can control these fields' display using the Select Fields drop-down.

Dropped and added fields in a Pipeline's output

Updated about a month ago

Data Preview


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.