v.4.7.2 Release
| PRODUCT | DATE | RELEASE | ADDITIONAL RESOURCES |
|---|---|---|---|
| Edge | 2024-07-17 | Maintenance | Known Issues, Cribl Stream 4.7.2 Release Notes |
This maintenance release of Cribl Edge includes bug fixes and new features.
Experience Improvements
We made improvements to the Windows Edge Nodes connection to the Leader when upgrading. In previous versions of Cribl Edge, Windows Edge Nodes could intermittently lose the connection to the Leader and stop sending data. CRIBL-25302, CRIBL-25405, CRIBL-24984, CRIBL-24645
When you use Add/Update Edge Node on a Windows Node, you can now choose between a Powershell or Command Prompt script.
We improved the reliability of the AWS runtime metadata detection, which addresses issues some users encountered when trying to access that information for mappings.
The new OTLP Traces Function allows you to normalize and batch OpenTelemetry (OTLP) trace events. This Function supports both OTLP 0.10.0 and 1.3.1 versions. Batches leverage existing Resource Attributes with the option to drop non-trace events. This enhancement improves the efficiency and flexibility of handling trace data, making it easier to manage and process trace events.
We’ve enhanced your auditing capabilities by adding capture filter expressions to audit logs. This allows you to track and log the filter expressions used during data captures, providing greater transparency and traceability.
You can now add tags to Edge Nodes and Stream Workers you’re teleported into. Since tags apply to a Whole Fleet or Group, you must confirm the change before saving the tags (on Cribl.Cloud).
Sources and Destinations
HTTP-based Sources now support IP allowlist and denylist regex options. The allowlist regex permits requests from matching IP addresses, while the denylist regex blocks requests from matching IP addresses, even if they match the allowlist.
We’ve enhanced the configurability of Kafka, Confluent Cloud, Amazon MSK, and Azure Event Hubs Sources and Destinations by exposing new retry mechanisms. The new Retries section allows you to fine-tune retry settings to better handle transient errors and improve the reliability of your integrations.
We’ve improved the performance of the Azure Blob Storage Destination by increasing the buffer size for data uploads. This change reduces the number of operations required, resulting in faster and more cost-effective data transfers to Azure Blob Storage.
The Datadog Destination now supports sending
distributionmetrics via theapi/v1/distribution_pointsendpoint. When an event contains onlydistributiontype metrics, including those generated by the Publish Metrics Function, it will use this new endpoint to send the data to Datadog. This allows for more accurate and efficient metric data handling, ensuring thatdistributionmetrics are properly routed and processed by Datadog.We’ve added a DNS resolution period (sec) setting for Syslog (UDP), SNMP, and Metrics (UDP) Destinations. Setting this value above zero means DNS lookups for hostnames will occur periodically instead of on every outgoing datagram.
The Filesystem Destination has two new settings, Compression level and Writing high watermark (KB). These allow you to optimize file compression for performance and manage buffer sizes for efficient file writing, enhancing overall system efficiency and resource management.
On HTTP/S-based Destinations, when persistent queues drain, Cribl Stream and Cribl Edge now minimize the transmission of potential duplicate events that were retried on failure. However, some events that were in transit to the Destination might still emerge as duplicates.
Corrections
| ID | Description |
|---|---|
CRIBL-24105 | When upgrading Nodes in a Fleet, the Edge version mismatch between Leader and Worker error now correctly references Node instead of Worker. |
| CRIBL-25928 | When sending events to a Splunk HEC Destination, if the _raw field is an empty string, Cribl Stream will send an empty string as _raw instead of trying to send the full serialized event. This results in an error from Splunk and the event is dropped. |
| CRIBL-25927 | Splunk drops events that include a null _time field sent by Cribl to a Splunk HEC Destination, halting further processing of the entire payload (potential data loss). |
| CRIBL-26090 | Fixed a bug in the Splunk HEC Destination that caused arrays to be sent as a string instead of a multi-valued field. If you depended on this behavior previously, you can use a Pipeline to JSON.stringify() your array before sending out through the Splunk HEC Destination. |
| CRIBL-25431 | The Splunk HEC Destination was incorrectly sending the _subsecond field, causing downstream issues. This field was redundant as subsecond information is already preserved in the _time field. |
| CRIBL-25411 | Removed the redundant Authentication method and Auth token fields from the General Settings section of the Splunk Load Balanced Destination configuration. These fields were previously visible above the OPTIONAL SETTINGS and outside of the Authentication tokens group, causing confusion. Users should now configure authentication tokens within the designated group. |
| CRIBL-25633 | In certain cases, events sent to Splunk Cloud using the Splunk TCP Source and Splunk TCP Destination with S2S v3 were not ingested due to malformed subsecond fields in the timestamp. |
| CRIBL-25572 | Syslog Sources configured with octet-count framing (version 4.7.0 and older), or with octetCounting: true (via Manage as JSON since v.4.7.0), can malfunction if they receive unframed messages over TCP. This will cause the Source to return many warning messages like Invalid octet count: undefined. Trying to skip to next frame and the Edge Node may run out of memory. |
| CRIBL-25435 | Using a Prometheus Source for summary metrics, the quantile_values were formatted as an object. However, for OTLP (OpenTelemetry Protocol) serialization, quantile_values must be in array format. This discrepancy caused errors when attempting to write summary metrics to Kafka Destinations, resulting in failed metric transmissions. |
| CRIBL-24060 | Timezone shifts were applied earlier than expected. This caused a few issues – events ingested into Splunk Cloud had incorrect timestamps, resulting in a one-hour discrepancy. The Auto Timestamp Function, timestamp parsing in Event Breakers, and the Syslog Source had timezone discrepancies. |
Cribl Edge on Windows
We’ve made a handful of corrections in this release specifically for Edge on Windows.
| ID | Description |
|---|---|
CRIBL-25372 | We fixed and issue where some Sources and Destinations weren’t appearing on the Health page for a Fleet. This affected predominantly Windows Sources. |
| CRIBL-25234 | The Add/Update Edge Node command now uses the correct Target Version for your Fleet, which improves update accuracy. Previously, the command used the Leader Version’s CDN URL. This applies to all supported environments: Docker, Kubernetes, Linux, and Windows. If you don’t choose a specific target version, Docker and Kubernetes will default to the Leader Version’s image, Linux uses the downloaded script, and Windows will grab the Leader Version from the CDN. |
| CRIBL-25164 | The Windows Metrics Source was displaying negative values for network metrics. |
| CRIBL-25830 | In Cribl.Cloud, the Overview and Health menus are now drop-downs instead of high-level menu options. Overview leads to Monitor, List View, and Map View. Health leads to Sources, Destinations, Routes, Pipelines, Packs, and Knowledge. |
Security Fixes
| ID | Description |
|---|---|
CRIBL-25417 | Using custom CA certificates with Cribl HTTP Sources and Destinations with Load Balancing enabled caused certificate verification failures. The connection would fail with a self-signed certificate in certificate chain error. |
| CRIBL-25951 | Scripts, as a security-sensitive feature, are now disabled by default in new deployments. Admin users can enable them in the settings if needed. Existing deployments won’t change, but Admins can also disable scripts for the whole deployment. |
Other Functional Fixes
| ID | Description |
|---|---|
CRIBL-25888 | Groups and Fleets with similar names (hyphen vs. underscore) caused configuration conflicts. This update eliminates naming-based configuration conflicts, improving the reliability of UI configuration workflows. |
| CRIBL-25304 | Lowering the Max number of metrics limit could cause errors similar to Cannot read properties of null (reading 'trim') when sending CriblMetrics out through a Destination. |