Cribl Stream 4.16.0 (Coming Soon)
| PRODUCT | DATE | RELEASE | ADDITIONAL RESOURCES |
|---|---|---|---|
| Stream | 2026-01-28 | Feature | Known Issues, Cribl Edge Release Notes |
The following draft provides early access to release notes for the upcoming Cribl Suite product release. Features or functionality presented are not considered binding commitments and are subject to change at the discretion of Cribl at any time for any reason without notice. This information should not be relied upon in making purchasing decisions.
Cribl Stream 4.16.0 includes significant performance improvements, new capabilities, and important bug fixes.
Important Changes
Notice for Leader HA Users
Due to planned stability and performance improvements, Cribl will be increasing our recommended system requirements for Leader High Availability (HA) systems for the March 2026 release. Beginning with that release, we recommend the following:
- Make available enough disk space on the Leader to host your git repo in addition to all your configuration files.
- Ensure your NFS system supports updating
mtimeon your NFS system. - If there’s a git timeout configured in the
local/cribl.yml, ensure that it is equal or greater than the system default of 5 minutes.
We encourage you to prepare for these changes ahead of the next release.
Worker Tracking
Worker and Edge Node tracking between restarts is now enabled by default. Toggle the Disable Node persistence setting to stop the tracking. This toggle is deprecated and will be removed in a future release.
New Features
This release provides the following improvements:
Cloud Identity Event Logs on Cribl.Cloud
You can now download Cloud Identity Event Logs, which provide critical visibility into authentication, authorization, and administrative events within Cribl.Cloud. Use these logs to enhance system security, meet compliance requirements, and facilitate troubleshooting.
Temporary Log Level Settings in On-Prem Deployments
The configurable TTL (time-to-live) setting is now supported in on-prem deployments. Use it to temporarily change log levels for up to 24 hours and debug without overwhelming your logs or incurring unnecessary storage costs. The log level automatically reverts to the permanent setting after the TTL setting expires.
New Event Breaker: Azure Virtual Network (VNet) Flow Logs
We have introduced a new Azure Virtual Network (VNet) Flow logs Event Breaker type to support Microsoft’s recommended successor to the deprecated Network Security Group (NSG) Flow logs. This built-in Event Break is specifically optimized to handle the VNet Flow log schema, ensuring that flow records are correctly parsed and segmented as they are ingested. This addition allows you to easily migrate your existing Azure logging pipelines to the new format while maintaining accurate event boundaries and high-performance processing.
Ubuntu .deb Package
You can now install Cribl Stream on Linux using an Ubuntu (.deb) package.
Cribl Outpost General Availability
Cribl Outpost is now generally available and no longer in Preview. Cribl Outpost helps you manage deployments in restricted environments with multiple data centers or complicated networking setups by serving as a relay for control plane connections between Workers or Edge Nodes and the Leader Node.
Outpost Groups
You can now manage Outposts in groups for better overview and easier configuration. A group allows you to define the time to keep disconnected Outposts listed, tags for easier filtering, and the target product version, facilitating upgrades. When upgrading to this version, any existing Outposts you have will be placed in the default_outpost group.
Experience Improvements
- We redesigned the Git commit history view to provide better visibility into your version control. Accessible through the top navigation bar or any Worker Group/Fleet commit menu, the updated interface now displays expanded commit messages and detailed metadata. This redesign also introduces a more robust selection tool to simplify navigating and auditing historical changes.
- When using the
CRIBL_DIST_LEADER_URL, you can now configure thecompressionparameter (corresponding to the Compression setting in the Distributed Settings in UI). The available values aregzipandnone. - The Outpost information page now provides a System Activity tab with charts presenting the Outpost CPU, memory, and disk usage.
- You can now export a list of Outposts (with your selected filters applied) to JSON or CSV.
- Cribl Outpost now supports connections from nodes that use the gzip compression codec.
Sources and Destinations
- On-prem Amazon S3, Amazon Security Lake, Azure Blob Storage, Azure Data Explorer, Exabeam, Filesystem/NFS, Google Cloud Storage, and MinIO Destinations now provide a Directory batch size setting to control how many directories are processed per batch during empty staging directory cleanup. Cribl.Cloud got this setting in 4.15.0.
- We improved default HTTP retry behavior to prevent overloading destinations with requests when the server is either not responding or responding or with error statuses.
- The Amazon S3 Source and Destination region lists now include the AP5 and AP7 AWS regions, allowing you to configure buckets in those regions directly from Cribl.
- The Cortex XSIAM Destination now uses a default max body size limit of 9.5 MB to account for HTTP overhead and prevent 413 errors from the XSIAM API.
- The File Monitor now offers a Salt file hash toggle to help differentiate and correctly ingest files that have identical hashes (for example, CSV files).
- The LastLog collector in the System State Source has been enhanced for better performance. If you encounter problems with the collector, you can temporarily switch back to using the old method by enabling Use legacy collection for LastLog in the Source’s Advanced Settings.
- All Monitoring charts, including those for Sources, Destinations, Data Fields, Packs, Pipelines, Projects, Routes, and Subscriptions, as well as system metrics like CPU Load, Free Memory, and Bytes In/Out, now feature a local, configurable time range picker. By default, each chart inherits the current global Monitoring time range (set from the control in the upper right of the page), but any changes you make to a chart local time range affect only that chart and do not change the global time range.
- The Datadog Agent Source now supports ingesting APM trace data. Accepting Datadog v0.3 and v0.4 trace API endpoints from
dd-traceclients, automatically parsing spans into events. - The Datadog Destination now supports sending Datadog-formatted APM traces to Datadog, in addition to logs and metrics.
- The Prometheus Scraper Collector now includes an HTTP Connection Timeout setting, allowing you to limit how long the scraper waits to establish a connection with each target. This ensures that unresponsive endpoints do not stall the overall scraping process.
Packs
You can now define and manage variables at the Worker Group level, enabling more robust configuration templating across your environments. By using these variables within Source and Destination fields within a Pack, you can create a single, environmentally-aware Pack that dynamically adapts to the specific Worker Group where it is deployed (such as adjusting ports, paths, or other environment details). To support this new functionality, the Variables UI has been enhanced to be context-aware, showing you exactly where variables are referenced within a Pack or Worker Group. This allows you to easily view, edit, and manage variable values based on the specific context you are working in.
To streamline the migration and scaling of your Pack configurations, you can now clone externally dependent resources (including secrets, certificates, and variables) directly from one Worker Group to another. This enhancement eliminates the manual rework previously required when moving Packs between environments, ensuring that all necessary Pack dependencies travel together. It also simplifies the process of expanding from small initial implementations to large-scale, multi-environment deployments while maintaining consistent security and variable settings.
Corrections
This release contains the following bug fixes:
Operational Fixes
| ID | Description |
|---|---|
CRIBL-36585 | Resolved an issue where the Event Breaker preview ignored sample size limits and defaulted to a 256 KB cap. This caused file truncation when uploading samples larger than 256 KB, even if a higher limit was set. |
| CRIBL-37406 | Resolved an issue where scheduled jobs fail permanently if a Worker Process is restarted during execution. |
| PLAT-401 | Fixed an issue that caused the YAML serializer to insert newlines in configuration files that contain multiline fields. To fix this issue, fields that Cribl previously stored as folded block scalars (>-) are now stored as literal block scalars (` |
| CRIBL-37637 | We resolved an issue where the upgrade page would fail to render if the Cribl CDN was unreachable. The UI now loads as expected and displays an error message indicating that the CDN connection couldn’t be established for further troubleshooting. |
| CRIBL-37554 | We improved the Event Breaker Preview to accurately display events based on the Ruleset’s filter condition. This fix removes misleading strike-throughs that incorrectly suggested the filter was applied to individual events within a data stream. |
| CRIBL-26106 | We resolved an issue where a Worker Process could occasionally load an incomplete configuration if it restarted during a deployment. This could lead to data being processed without its intended Pipelines or Functions. The deployment process now ensures that the Worker Process will only ever use a fully-validated configuration, guaranteeing that it uses either the complete previous version or the complete new version. |
Source and Destination Fixes
| ID | Description |
|---|---|
CRIBL-36825 | Resolved an issue where AWS Sources using Assume Role could hang for up to 20 minutes if a regional STS endpoint was unreachable. A default 30-second timeout is now enforced for these requests. This ensures prompt failover to the global STS endpoint, significantly reducing ingestion delays during connection issues or Node restarts. |
| CRIBL-36687 | The OTLP Logs and OTLP Metrics Functions now correctly handle previously dropped attributes from earlier in the pipeline. Previously, those attributes could still appear in the exported OTLP payload with empty values. |
| CRIBL-35430 | Updated the OTLP Metrics Function to correctly read and serialize the aggregation_temporality field for sum and counter metrics. Additionally, for sum and counter metrics emitted from Cribl Internal Metrics, the function now automatically sets this field to delta. |
| CRIBL-36259 | Resolved an issue where HTTP-based source openCxn and closeCxn metrics were counted per request instead of per underlying socket connection. As a result, connection counts may differ from previous releases. |