Cribl Search 4.18.0 ​

Summary ​

Cribl Search 4.18.0 adds lakehouse engines and Search Datasets in Cribl.Cloud Government, lakehouse accelerated fields and export to Search Datasets, and updates to notebooks, the timepicker and timezone, Generic HTTP dataField paths, and large-number handling. Cribl AI, Copilot, and Investigations (Preview) gain Custom AI Provider improvements, MCP support, Copilot controls, environment-aware chat, and richer investigation workflows.

Some system and database-connection API responses no longer return sensitive values in plaintext. See Important Changes if you depend on those responses.

Important Changes ​

Breaking Changes to Sensitive Information in API Responses and the UI ​

API responses for the following endpoints no longer include sensitive information in plaintext:

• /system/settings
• /system/settings/auth
• /lib/database-connections

This affects passwords and password-equivalent attributes such as bindCredentials and client_secret. The values for these attributes are omitted or masked in API responses and in corresponding fields in the UI.

What you need to do:

• Update any automation or scripts that depend on reading these plaintext values from the API responses for these endpoints.
• Plan to provide replacement values for sensitive information in the UI, like connection strings for Database Connections. Do not rely on viewing or copying sensitive information that was previously visible in the UI.

New Features ​

Lakehouse Engines with Search Datasets in Cribl.Cloud Government ​

Cribl.Cloud Government now supports the same lakehouse engines and Search Datasets as commercial Cribl Search. The new lakehouse engines use FedRAMP-approved, FIPS-compliant cryptography and stay fully inside the Cribl.Cloud Government boundary. The Lakehouses in Cribl Lake are being deprecated.

Lakehouse Engine Accelerated Fields ​

We’re adding support for accelerated fields in Cribl Search lakehouse engines. This means you can designate frequently filtered fields (like hostname or sourcetype) to speed up lookups across large volumes of data.

App Platform (Preview) ​

Use the new App Platform (Preview) to build and run custom apps in Cribl. Apps are packaged UI experiences that call Cribl and third-party APIs, letting you create tailored workflows and front-end experiences that go beyond the built-in product surfaces.

Search Experience ​

Export Search Results to Search Datasets ​

You can now export search results directly to Search Datasets in lakehouse engines for use in future searches. Use the export operator with the new search parameter. For example:

| export to search myDataset

Notebook Templates ​

Notebook templates let you start new Notebooks from your own saved layouts or from Cribl-built templates, so sections, queries, and visualizations are already in place for repeatable investigations. You can also use a template as an operational runbook: a fixed sequence of steps, queries, and notes your team follows for incidents or routine checks.

Timepicker Improvements ​

The Search timepicker now works faster for common ranges, with quick actions that stay in sync and a calendar that supports flexible selections and automatic full-day boundaries. When a search uses an explicit time range, the timepicker shows that window for direct edits.

Saved searches and Notebooks include the timezone control in the timepicker, and the Event List Viewer now follows the shared timepicker timezone instead of a separate selector.

Generic HTTP API Dataset Provider Supports Dotted dataField Paths ​

For the Generic HTTP API Dataset Provider, dataField now supports dotted paths (for example, data.issues.nodes) so Search can navigate nested JSON responses and turn each item in the resulting array into a separate event, while single-level and blank dataField values continue to behave as before.

Large Number Precision in Searches ​

Numeric searches and computations now follow the IEEE 754 standard for large-number precision. For values larger than the maximum safe number (2^53 - 1), wrap the number in quotes so it’s treated as a string. For example:

dataset="my_dataset" | where id=="10001900000009910000"

Federated Engine Tiers Enforce Search v2 Concurrency ​

Federated Engine tiers now enforce the number of concurrent Search v2 searches that can run per region. When your tier limit is reached, additional Search v2 searches are queued and run when capacity becomes available, instead of failing immediately.

Parquet Format for v2 Federated Datasets ​

V2 federated Datasets on Amazon S3 and Azure Blob Storage now support Parquet, in addition to NDJSON and Delimited Text.

Expected Time Range for Lakehouse Engine Datasets ​

Lakehouse engine Datasets now include configurable Earliest expected timestamp and Latest expected timestamp settings, which define the accepted time window for ingested events and help prevent ingest failures caused by widely distributed event timestamps.

Federated Search v2 Datasets in Cribl.Cloud Government ​

Cribl.Cloud Government now supports Federated Search v2 Datasets on its query engine, bringing faster performance and clearer datatype mapping to your distributed searches.

Cribl AI and Copilot ​

Custom AI Provider Enhancements ​

We’ve streamlined AI provider setup with a new 3-step wizard, added support for LiteLLM and OpenAI-compatible endpoints, and introduced Model Tier assignments (Small, Frontier, Reasoning). You can now test model connections before saving and manage providers directly from the AI Settings dashboard.

MCP Integrations for Cribl AI ​

Cribl AI now supports external Model Context Protocol (MCP) servers, enabling AI agents to access third-party tools during conversations. You can connect external servers via endpoint URLs, with full support for authentication headers and external providers using API keys. For maximum security, all credentials are encrypted at rest.

Cribl Copilot Chatbot Toggle ​

Admins can now enable or disable the Cribl Copilot chatbot widget independently of other Cribl AI features. This allows you to hide the chat interface without impacting broader AI functionality. The toggle is enabled by default for consented deployments, preserving existing behavior upon upgrade.

Cribl Copilot Chat: Environment-Aware Operational Queries ​

Cribl Copilot Chat now supports environment-aware queries, allowing Cribl.Cloud users to ask natural language questions about their live deployment configuration. By combining documentation with real time operational data, Copilot can list configured Routes and Pipelines and provide surface system-level warnings and errors directly in the chat. To ensure security, this feature uses read only tools that automatically redact sensitive information and provides answers tailored to your specific Stream, Edge, Search, or Lake environment.

Investigations (Preview) ​

More for AI-guided Analysis ​

AI-guided investigations (Preview) now give you more control and room to dig in:

• Choose the reasoning model for each investigation when your organization uses Custom AI Providers. Pick the model that fits the question instead of being locked into one default.
• Use MCP integrations to tie Search to third-party tools and pull relevant context into the chat without leaving the investigation.
• Sessions save automatically, so you can restart or continue where you left off, revisit prompts, and review earlier results.
• Dataset intelligence adds context so the investigation stays grounded in your data.
• Use Deep Investigations to map and test multiple hypotheses in sequence and follow how each search and finding connects over the course of an investigation.

Corrections ​

SDK Changelogs ​

The Cribl SDKs help you integrate with Cribl and reduce the need for repetitive tasks. We maintain changelogs for each version of the Cribl SDKs in their GitHub repositories:

• Go SDK changelogs: control plane and management plane
• Python SDK changelogs: control plane and management plane
• Typescript SDK changelogs: control plane and management plane