Output Routers are meta-destinations that allow for output selection based on rules. Rules are evaluated in order, top‑>down, with the first match being the winner.

Configuring Cribl LogStream to Send to an Output Router

Select Data > Destinations, then select Output Router from the Data Destinations page's tiles or left menu. Click Add New to open the Output Router > New Destination modal, which provides the following fields.

Router name: Enter a unique name to identify this Router definition.

System fields: A list of fields to automatically add to events that use this output. By default, includes cribl_pipe (identifying the LogStream Pipeline that processed the event). Supports wildcards. Other options include:

• cribl_host – LogStream Node that processed the event.
• cribl_wp – LogStream Worker Process that processed the event.
• cribl_input – LogStream Source that processed the event.
• cribl_output – LogStream Destination that processed the event.

Rules: A list of event routing rules. Each provides the following settings:

• Filter expression: JavaScript expression to select events to send to output.
• Output: Output to send matching events to.
• Final: Flag that controls whether to stop the event from being checked against other rules lower in the stack. Defaults to Yes.

Notes

• An Output Router cannot reference another. This is by design, so as to avoid cycles.
• Events that do not match any of the rules are dropped. Use a catchall rule to change this behavior.
• No post-processing (conditioning) can be done here. Use Pre-Processing Pipelines on the Source tier.
• Data can be cloned by toggling the Final flag to No. (The default is Yes, i.e., no cloning.)

Example

Scenario:

• Send all events where host starts with 66 to Destination San Francisco.
• From the rest of the events:
  • Send all events with method field POST or GET to both Seattle and Los Angeles (i.e., clone).
• Send the remaining events to New York City.

Router Name: router66