Cribl Search 4.17.1
| PRODUCT | DATE | RELEASE | ADDITIONAL RESOURCES |
|---|---|---|---|
| Search | 2026-04-22 | Maintenance | Known Issues, Cribl Lake Release Notes |
Summary
Cribl Search 4.17.1 introduces staggered Cribl.Cloud upgrade windows, adds IP allowlisting for API credentials, and improves the login experience for users with multiple Organizations or sign-in methods.
It also extends lakehouse and Dataset workflows (including Generic HTTP API POST-with-body, retention and field rules, clearing hosted data in place, and Dataset UI updates such as Notebooks and Dashboards tabs).
New Release Windows
Beginning with this release, Cribl.Cloud will have multiple upgrade windows as follows:
| Upgrade Window | Time and Date | AWS Regions Included |
|---|---|---|
| All Standard Organizations | 21 Apr 2026 between 12:00 and 24:00 UTC (8:00 AM and 8:00 PM EDT) | All regions |
| US West and APAC (Enterprise) | 22 Apr 2026 between 10:00 and 13:00 UTC (6:00 AM and 9:00 AM EDT) | ap-northeast-1, ap-southeast-1, ap-southeast-2, and us-west-2 |
| US East and EMEA (Enterprise) | 23 Apr 2026 between 00:00 and 03:00 UTC (8:00 PM and 11:00 PM EDT) | ca-central-1, eu-central-1, eu-central-2, eu-west-1, eu-west-2, eu-west-3, sa-east-1, us-east-1, and us-east-2 |
The upgrade windows apply to your Leader. Cribl.Cloud Workers will be upgraded immediately after the Leader is upgraded, regardless of the region they reside in.
On-prem binaries will be available on 22 Apr 2026. However, if you are a hybrid user, you must wait until your cloud Leader has been upgraded before upgrading your Workers. Failure to do so will result in unexpected behavior.
Upcoming Changes to Sensitive Information in API Responses
In an upcoming release, API responses for the following endpoints will no longer include sensitive information in plaintext:
/system/settings/system/settings/auth/lib/database-connections
This affects passwords and password-equivalent attributes such as bindCredentials and client_secret. The values for these attributes will be omitted or masked in responses.
What you need to do: Update any automation or scripts that depend on reading these plaintext values from the API responses for these endpoints.
IP Allowlisting for API Credentials in Cribl.Cloud
Use the new IP Allowlist option to restrict API access to specific IPv4 CIDR ranges for API Credentials.
New Login Experience for Cribl.Cloud
If you have access to multiple Organizations, you can select the Organization to log in to from the start. Also, if you have multiple authentication methods, you can choose which one to use to log in.
Billing Reader Permission in Cribl.Cloud
The new Billing Reader Permission provides read-only access to view billing information and credit consumption in the FinOps Center.
New POST with Body Method for Generic HTTP API Dataset Provider
The Generic HTTP API Dataset Provider now supports POST with body requests, so Cribl Search can query REST APIs that
require a request payload. It currently supports JSON array or simple wrapped JSON responses, plus OAuth2, custom
headers, and variable substitution, allowing you to pass a search query from the search bar into the POST body. For
example, by inserting ${queryString} into the queryString field.
Default Retention Time for main and New Lakehouse Engine Datasets
The default retention period for the main Dataset is now a maximum of 10 years. For any newly created Search Datasets,
the default retention is 1 year. You can modify these retention settings as required.
New 2XS and 3XS Lakehouse Engine Sizes
We’ve added two new lakehouse engine sizes to support smaller ingest volumes: 2XS (150 GB) and 3XS (75 GB). See Lakehouse Engine Sizes for a full table of available sizes.
Dataset-Level Field Modification
When ingesting into Cribl Search, you can now use Dataset rules to modify fields after Datatyping parses the events. This lets you apply Dataset-specific enrichment or normalization (for example, fixing timestamps), while still taking advantage of Auto-Datatyping.
Clear a Search Dataset While Keeping the Setup
Cribl-hosted Search Datasets now let you manually wipe all their data without deleting the Dataset itself. This way, you can get rid of unwanted data while preserving your Dataset rules and retention settings. Requires Maintainer access on the Dataset.
Specify Sort Direction in Aggregation Operators
You can now specify sort direction directly in summarize group-by fields, instead of having to add a separate order by clause.
For example, instead of:
... | summarize by tenantId, workspace | order by tenantId asc, workspace asc
You can use:
... | summarize by tenantId asc, workspace asc
This applies to all aggregation operators, not just summarize, and you can control both direction and nulls placement
on each group-by field. For example, asc/desc and nulls first/nulls last per field.
Added Port 4318 as the HTTP Default for OTLP Source
OpenTelemetry uses 4318 as the standard port for HTTP protocol. Now, Cribl Search offers port 4318 as the default
port for HTTP protocol when you’re setting up the OTLP Source.
Dashboards and Experience
Dataset Details Panel: Notebooks & Dashboards Tabs
The Dataset details panel now has dedicated Notebooks and Dashboards tabs, making it easier to see exactly where and how a Dataset is used across each feature.
Updated Dataset Columns
The Dataset table now features combined or new columns to better display metadata and engine information. You can customize visible columns using the column picker.
Corrections
Operational Fixes
| ID | Description |
|---|---|
SEARCH-12954 | Fixed an issue where certain query results could make the Search UI inaccessible. The Search UI now always loads and remains accessible, regardless of invalid or unsupported values in query results. |
| SEARCH-12864 | You can now only resize a lakehouse engine when it is in Ready status. |
| SEARCH-11955 | Scheduled searches no longer fail for SAML users or run without the Datasets they should see, while the same searches work when run interactively. |
| SEARCH-12292 | We fixed an issue for searches against a v2 Dataset backed by Azure Blob Storage V2 or Amazon S3. The timestamps returned in search results reflect when the source file was created rather than the actual timestamps recorded in the events. |
| SEARCH-12947 | Searches against v2 Datasets were intermittently failing with the following error: Error running search: Timed out waiting for node to connect. |
| SEARCH-12512 | Fixed an issue where the More button in Get Data In > Kusto Expression to Match didn’t reveal the full expression in a pop-up. |
| MON-669 | Fixed an issue where the default system_email Notification target was not displayed and could not be selected when creating or editing Notifications in Cribl.Cloud. Previously configured Notifications that use the system_email target continued to send emails, but could not be managed through the UI. |
| PLAT-10337 | Fixed an issue where Cribl Stream users with the User Permission who were also members of a Team with the Admin Permission could not view or manage AI Settings. |
| PLAT-10364 | Fixed an issue where, when creating a custom Role, selecting the ProductAdmin, ProductReader, or ProductUser Policy showed only Worker Groups in the Object drop-down menu. The Object options now correctly list product names for these Policies. |
See the Cribl Search 4.17.0 release notes for the latest major feature updates.