Cribl Stream 4.18.2 (Coming Soon)
| PRODUCT | DATE | RELEASE | ADDITIONAL RESOURCES |
|---|---|---|---|
| Stream | 2026-06-24 | Maintenance | Known Issues, Cribl Edge Release Notes |
Cribl Stream 4.18.2 includes significant performance improvements, new capabilities, and important bug fixes.
Important Changes
Breaking Change: Single-item GET requests return HTTP 404 for unknown IDs in Cribl.Cloud
In Cribl.Cloud, CRUD-style GET-by-ID operations in the Cribl API now return HTTP 404 Not Found when the requested resource ID does not exist. Previously, those operations returned HTTP 200 OK with an empty items array and count: 0.
This change applies only for unknown resource id values. If a resource id exists but the API cannot return it due to filters, the request still returns HTTP 200 OK with an empty items array and count: 0.
What you need to do:
In Cribl.Cloud, for the affected endpoint paths, update API clients that treat HTTP 200 OK with an empty items array and count: 0 as “not found” to handle HTTP 404 Not Found instead. To confirm that an operation returns HTTP 404 Not Found for an unknown id before updating clients, send a GET-by-ID request with a deliberately invalid id.
Expand the following section for a list of the affected endpoint paths.
List of affected endpoint paths
/admin/products/{product}/mappings/alert/monitors/alert/silences/fleet-mappings/lib/grok/lib/mdt-devices/lib/parsers/lib/protobuf-libraries/lib/regex/lib/sds-rules/lib/sds-rulesets/mappings/notification-policies/notifications/pack/products/aetos/config-profiles/products/aetos/monitors/products/aetos/shared-configs/products/lake/lakes/{lakeId}/config/products/lake/lakes/{lakeId}/direct-access/products/lake/lakes/{lakeId}/metrics/search/dashboard-categories/search/dashboards/search/dataset-provider-types/search/datatypes/search/federated_search/engines/search/jobs/search/local_search/dataset-rulesets/search/local_search/datatype-rulesets/search/local_search/engines/search/macros/search/notebook-templates/search/notebooks/search/usage-groups/system/instance/system/internal-groups/system/keys/system/messages/system/policies/system/samples/system/scripts/system/users
Deprecation Notice: Disable Node Persistence
The Disable Node persistence setting is deprecated and will be removed in the upcoming 4.19.0 release. Node information is persisted by default. Use the Worker Group/Fleet-level Time to keep disconnected Nodes setting to control how long Nodes are tracked.
New Features
This release provides the following improvements:
App Platform (Preview) RBAC
App Platform (Preview) role based access control (RBAC) lets admins control which users and teams can access each App. For each new App, users will see only the Apps that have been shared with them, and admins can grant or revoke access per App.
Google Cloud Observability Destination
Cribl Stream adds a Google Cloud Observability Destination that sends OpenTelemetry metrics, logs, and traces to Google Cloud Observability.
Experience Improvements
- Cribl AI agents on an Anthropic via Amazon Bedrock custom provider now use the AWS SDK’s native
outputConfig.textformat for structured outputs. Bedrock agents return more reliable schema-valid JSON, and an intermittentValidationExceptionseen in some agent flows is resolved. - You can now update a custom AI provider without re-entering your API key or virtual key. The credential field appears blank in the edit wizard, but Cribl keeps the stored key. Enter a value only to rotate it.
- Cribl.Cloud now rejects custom AI provider URLs that use a non-HTTP(S) scheme, resolve to localhost, or use a literal private or link-local IP address. This prevents custom providers from probing internal cloud infrastructure.
- Copilot Editor now recommends the most appropriate target schema for your sample data and asks you to approve or adjust it, rather than asking you to pick from a list. It also maps more available fields, such as Source and Destination IP addresses, creating robust pipelines that capture more relevant data. Editing is smoother too: launching Copilot Editor from a Pipeline loads that Pipeline directly, and at the end of the session you can choose to save your changes as a new Pipeline or overwrite the existing one.
- Cribl Guard now displays Guard Functions used in Source Pre-processing Pipelines, not just those on Destinations, Routes, or QuickConnect. You get visibility into Guard findings and volumes for data scanned on the way in.
- Outpost Nodes now support SOCKS proxies for communication with the Leader.
Sources and Destinations
- Resolved an issue where the Datadog Agent Source silently dropped APM traces sent from legacy Datadog Agents using the older
TracePayloadProtocol Buffer wire format. The Source now dynamically detects the agent version using the incomingUser-Agentheader, extending support to some of the older agent versions prior to v6.33/v7.33 to prevent dropped traces. If the agent version cannot be determined, the Source automatically falls back to try both formats, helping to prevent data loss with legacy data flows. - New Journal Files Sources now collect logs only from the current boot by default, reducing the risk of sending older data during first-time deployment.
- The default persistent queue (PQ) buffer size has been increased from 64 KB to 1 MB, reducing CPU and I/O overhead when multiple PQs are active. The maximum configurable buffer size is now 10 MB (previously 1 MB), and the default max file size has been increased to 10 MB. Existing PQ configurations set to the previous 64 KB default will be automatically migrated to the new 1 MB default.
- The Kafka Source and Confluent Cloud Source now support OAuth2 Client Credentials authentication for Confluent Schema Registry, enabling integration with Schema Registry endpoints that require OAuth2 machine-to-machine authentication.
Packs
Packs that contain symlinks are now blocked during import. Previously, symlinks within a Pack’s directory structure were preserved when importing from a Git repository, which could lead to unintended file path resolution. Symlinks in Packs are no longer permitted, improving the security posture of Pack installations.
Corrections
This release contains the following bug fixes:
Operational Fixes
| ID | Description |
|---|---|
CRIBL-40408 | Fixed an issue where the Outpost listener service failed to start when TLS was configured with a private key passphrase. The CRIBL_OUTPOST_LISTENER_URL is now deprecated. |
| CRIBL-41380 | Fixed an issue where links from the Outpost Target Version screen opened the Fleets page instead of the relevant Outpost group. |
| CRIBL-39909 | Fixed an issue where persistent queues on Cribl HTTP Destinations could stop draining after backpressure cleared when Strict ordering was disabled, which could leave queued data stuck until the Worker restarted. |
| CRIBL-40995 | Fixed an issue in self-hosted distributed deployments where newly joined Workers could remain stuck in a “config loading” state when their Worker Group contained deployed lookup files. |
| CRIBL-41259 | Fixed an issue where modifying an Event Breaker Ruleset at runtime could cause the Multiplexed Event Stream Breaker to throw an error and fall back to default line breaking, resulting in incorrectly broken events. |
| CRIBL-29894 | Fixed an issue where HTTP-based Destinations with persistent queueing (PQ) enabled could underreport output bytes when events no longer included the _raw field. |
| PLAT-11929 | Fixed an issue in Leader High Availability (HA) deployments where Leader replication could cause a Leader Node’s local Git repository branch to diverge from the branch used by the failover (HA) volume repository. The fallback branch for Leader bootstrap triggered by the CRIBL_GIT_REMOTE environment variable now uses the Git branch from CRIBL_GIT_BRANCH or falls back to Leader’s current Git branch instead of defaulting to master. |
| CRIBL-37715 | In the Pipeline Preview pane, fields containing dots in their names (for example, test.test) that hold nested objects now expand correctly. |
| CRIBL-40928 | Fixed an issue where enabling Teleport or changing Worker Group Size could fail for existing Azure-based Cribl.Cloud Worker Groups whose names contain uppercase letters. |
| CRIBL-41494 | Fixed an issue where a downstream Destination’s Post-Processing Pipeline could be skipped for events from a Source inside a Pack when the Pack Route used Send to Worker Group Routes. |
| CRIBL-39905 | Fixed a race condition where a Commit & Deploy that triggered a Worker Process configuration reload (rather than a restart) could cause a small number of in-flight events to bypass lookup function enrichment. |
Source and Destination Fixes
| ID | Description |
|---|---|
CRIBL-41634 | Fixed an issue where the Journal Files Source would omit fields starting with an underscore from the journald field. |
| CRIBL-40586 | Fixed an issue where File Monitor logged harmless stale file handle errors from NFS or EFS mounts as errors instead of warnings. |
| CRIBL-40990 | Fixed an issue where File Monitor could leave state behind for nested .zip files when Delete File was enabled. |
| CRIBL-37544 | Fixed an issue where Sentinel Destinations could remain in a healthy state after OAuth authentication failed, even when data could not be sent out. |
| CRIBL-25942 | Fixed an issue where large metric values sent through Splunk-to-Splunk v4 Destinations to Splunk Cloud could be silently dropped after ingestion. Cloud-only. |
| CRIBL-35603 | Fixed an issue where Azure Event Hubs Destinations could log a misleading flush error after an Azure authentication failure, even when the destination successfully reconnected and resent the data. |
| CRIBL-40919 | Fixed an issue where HTTP-based Destinations sometimes ignored proxy bypass settings for IPv6 addresses. |
| CRIBL-38597 | Fixed an issue where Google Cloud Storage Destinations could try to upload invalid object names generated by partitioning expressions, leaving staged files behind and requiring manual cleanup. |
| CRIBL-40931 | Fixed an issue where the Datadog Agent Source could silently drop protobuf traces from agents older than 6.33/7.33. |
| CRIBL-37439 | Fixed an issue where REST Collectors could log a misleading auth token extraction error when the authentication response did not include the Authorization header. |
| CRIBL-40240 | Fixed an issue where Azure Blob Collectors configured with disableTimeFilter: true and a time-tokenized path could ignore the selected time range during discovery and enumerate the entire container instead of only the expected dated prefixes. |
Other Functional Fixes
| ID | Description |
|---|---|
CRIBL-40007 | Fixed an issue where the Help link for the Mask Function in Pipelines would display an error instead of opening the documentation. |
| AI-3994 | Fixed an issue where certain AI features ignored the configured custom AI provider model tiers and fell back to hardcoded default models. This caused Copilot, Investigations, Guard, and other AI features to fail when those default model IDs were not deployed in the BYOM configuration. AI features now use the model IDs you assign to each tier in AI Settings. |
| CRIBL-41507 | Fixed empty tooltips appearing in Outpost Group Target Version screen. |
SDK Changelogs
The Cribl SDKs help you integrate with Cribl and reduce the need for repetitive tasks. We maintain changelogs for each version of the Cribl SDKs in their GitHub repositories:
- Go SDK changelogs: control plane and management plane
- Python SDK changelogs: control plane and management plane
- Typescript SDK changelogs: control plane and management plane