Cribl LogStream – Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up here)
Download entire manual as PDF - v2.4.4

Output Router

Output Routers are meta-destinations that allow for output selection based on rules. Rules are evaluated in order, top‑>down, with the first match being the winner.

Configuring Cribl LogStream to Send to an Output Router

Select Data > Destinations, then select Output Router from the Data Destinations page's tiles or left menu. Click Add New to open the Output Router > New Destination modal, which provides the following fields.

Router name: Enter a unique name to identify this Router definition.

System fields: A list of fields to automatically add to events that use this output. By default, includes cribl_pipe (identifying the LogStream Pipeline that processed the event). Supports wildcards. Other options include:

  • cribl_host – LogStream Node that processed the event.
  • cribl_wp – LogStream Worker Process that processed the event.
  • cribl_input – LogStream Source that processed the event.
  • cribl_output – LogStream Destination that processed the event.

Rules: A list of event routing rules. Each provides the following settings:

  • Filter expression: JavaScript expression to select events to send to output.
  • Output: Output to send matching events to.
  • Description: Optionally, enter a description of this rule's purpose.
  • Final: Flag that controls whether to stop the event from being checked against other rules lower in the stack. Defaults to Yes.

Notes

  • An Output Router cannot reference another. This is by design, so as to avoid circular references.
  • Also to avoid circular references, an Output Router cannot reference a Default Destination that points back to Output Router.
  • Events that do not match any of the rules are dropped. Use a catchall rule to change this behavior.
  • No post-processing (conditioning) can be done here. Instead, use pre-processing Pipelines on the Source tier.
  • Data can be cloned by toggling the Final flag to No. (The default is Yes, i.e., no cloning.)

Example

Scenario:

  • Send all events where host starts with 66 to Destination San Francisco.
  • From the rest of the events:
    • Send all events with method field POST or GET to both Seattle and Los Angeles (i.e., clone).
  • Send the remaining events to New York City.

Router Name: router66

Filter Expression

Output

Final

host.startsWith('66')

San Francisco

Yes

method=='POST' || method=='GET

Seattle

No

method=='POST' || method=='GET'

Los Angeles

Yes

true

New York

Yes

Updated 24 days ago

Output Router

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.