Home /Cribl Stream 4.19.0

Cribl Stream 4.19.0 (Coming Soon)

PRODUCTDATERELEASEADDITIONAL RESOURCES
Stream2026-07-22FeatureKnown Issues, Cribl Edge Release Notes

The following draft provides early access to release notes for the upcoming Cribl Suite product release. Features or functionality presented are not considered binding commitments and are subject to change at the discretion of Cribl at any time for any reason without notice. This information should not be relied upon in making purchasing decisions.

Cribl Stream 4.19.0 includes significant performance improvements, new capabilities, and important bug fixes.

Important Changes

This release introduces breaking changes and deprecations that require action if you use the affected features:

New Features

This release provides the following improvements:

Global Secrets in Cribl.Cloud

Cribl.Cloud now supports global secrets, which you can retrieve from HashiCorp Vault or the built-in Cribl secret store. Use global secrets to define credentials once and reuse them across Cribl Stream and Edge. Teams can share and rotate credentials in one place instead of maintaining duplicates.

Cribl.Cloud Release Channels

In Cribl.Cloud, Enterprise customers can assign each Workspace to the Regular or Slow release channel. The Regular release channel (default) follows the standard monthly release cadence. The Slow release channel also updates on a monthly basis but is one version behind Regular. Release channels give teams self-service control over Cribl upgrade cadence on a per-Workspace basis and allow them to validate new Cribl versions in pre-production Workspaces before deploying to production environments. The Slow release channel is not updated in November and December to accommodate holiday season change freezes.

You can now configure AWS and Azure Private Link connections to Cribl.Cloud Workspaces directly through the Cloud portal. This keeps your traffic entirely off the public internet by routing it through your cloud provider’s backbone network. You can use private links to safely send data to hosted Worker Groups or protect Worker-to-Leader communications via a private endpoint on your Leader.

Multi-Region Workspaces in Cribl.Cloud

In Cribl.Cloud, Admins can now add new Workspaces in any region, independently of the Organization region. This allows customers with global footprints to locate Workspaces within geographic and political boundaries as needed to meet standards for compliance, data residency and sovereignty, and local processing.

Gemini as a Custom AI Provider

This release introduces Gemini as a custom AI provider and lets you easily reset BYOM tier assignments to their suggested defaults. Enhanced UI visibility makes verifying BYOM test results quick and seamless.

Apps (Preview): Capra in the App Scaffold

The Create App scaffold now installs Capra, Cribl’s design system, by default. New projects include a Capra-based sample UI, Capra packages from the public npm registry, and AGENTS.md guidance for AI-assisted development. You can use Capra components and design tokens, apply Capra styling with your own components, or replace Capra with another UI stack.

Parser Function: New Auto Type

You can now set Type to Auto to detect event format and extract top-level fields from _raw using the same auto-datatyping logic as Cribl Search, without manual parser configuration.

Enhanced pipe CLI Command

The cribl pipe CLI command now supports --breaker (-e) and --fields (-f) options. Use --breaker to apply an Event Breaker Ruleset to raw stdin, and --fields to apply Source-style field expressions before Pipeline processing. When you use both options together, fields are applied before breaking, so Ruleset rule conditions can evaluate against them. This makes it easier to perform end-to-end testing of Packs: you can pipe raw data through a Pipeline and have it broken and enriched the same way a configured Source would, without a live Source connection.

Source Persistent Queues: Queue-full Behavior

Queue-full behavior is now available on Source persistent queues, matching Destination persistent queues. When a queue reaches its Queue size limit, you can block incoming data or drop new events. Use Drop new data to keep UDP and other senders that cannot slow down flowing during sustained backpressure, while queued data continues to drain.

AWS Cloud Connections

On Cribl.Cloud, you can now connect AWS accounts to Cribl to automatically discover cloud data sources and bulk-onboard them as Cribl Sources.

New Sources and Destinations

Amazon Bedrock Source: A new Amazon Bedrock Source allows Cribl Stream to collect model invocation logs and audit logs from Amazon Bedrock.

Sysdig Source: A new Sysdig Source allows Cribl Stream to receive security and observability data from Sysdig via HEC.

Upwind Source: A new Upwind Source enables Cribl Stream to receive security event data from Upwind’s cloud security platform via HEC.

Amazon Managed Service for Prometheus (AMSP) Destination: A new Amazon Managed Service for Prometheus Destination provides a dedicated tile for remote-writing metrics to AMP (Amazon Managed Service for Prometheus).

Google BigQuery Destination: A new Google BigQuery Destination enables Cribl to write events directly into BigQuery tables using Google’s Storage Write API, eliminating the need to route through intermediate storage.

IBM Cloud Object Storage Destination: A new IBM Cloud Object Storage Destination enables you to route and store data directly in IBM Cloud Object Storage buckets using HMAC-based authentication.

Snowflake Destination: A new Snowflake Destination enables Cribl to write events directly to Snowflake tables using the Snowflake REST API.

Experience Improvements

  • Cribl AI is now directly embedded into the suite by default, introducing AI-accelerated workflows across your Workspace. You can use natural language to build pipelines, automatically generate commit messages, and mitigate privacy risks. These capabilities are supported by either Cribl-supplied models or your own custom provider configurations, giving you full control over how AI processes your data.
  • This release delivers performance improvements to Copilot Editor and adds support for OCSF schema versions 1.7 and 1.8 to ensure compatibility with newer detection rules.
  • You can now connect AI coding tools directly to the embedded MCP server on your Cribl Leader - no separate container required. Enable it in AI Settings and use a bearer token to manage your environment via natural language, securely tied to your native Cribl permissions. The standalone Docker MCP server remains fully supported.
  • You can now configure Worker process config update concurrency and Worker process reload timeout (seconds) on the Worker Processes tab to control how configuration changes roll out during deploy. Defaults are 20% of Worker Processes per batch and a 60-second reload timeout. Consult Cribl Support before adjusting these settings.
  • A new Restart unresponsive Worker Processes setting, enabled by default for on-prem and hybrid Worker Groups, automatically restarts Worker Processes that stop sending timely heartbeats to the API Process.
  • Cribl Guard now runs an automatic preliminary scan every 24 hours. When you open a detection in the Findings view, the Recommendations section proposes how to act on recent detections and lets you preview the regex patterns for suggested rules.
  • Worker Node and Stream Worker information now opens in a full dedicated page instead of a side drawer.
  • Outpost Group settings now expose an API Server Settings section, including host, port, and TLS settings.
  • QuickConnect now includes an Enabled only filter that hides disabled Sources from the view. The filter is off by default.
  • The Data Preview toolbar now shows inline fields and bytes statistics after you run a Simple Preview, so you can see how a Pipeline changes your data without opening a modal. Select Pipeline diagnostics for full statistics and profiling.
  • Added a new metric, breaker.ts_extract_failures, that reports timestamp extraction failures and out-of-window timestamps per Source, making it easier to identify events with timestamp parsing problems.
  • Improved the delete experience for Event Breaker Rulesets. The delete flow now makes in-use Rulesets easier to identify and shows where they are referenced before removal, helping prevent accidental Pipeline-impacting changes.
  • Git commits now record the actual user as the Git author instead of a generic admin user, making configuration history easier to audit.
  • You can now reference Worker Group or Fleet variables from inside a Pack using C.systemVars, in JavaScript-enabled fields across Sources, Destinations, Collectors, and Pipeline Functions. Pack variables still use C.vars. The expression editor includes C.systemVars typeahead in Pack context.
  • The sidebar, top bar, dialogs, tables, and login screens are now more accessible for screen readers and users who rely on keyboards for navigation. Icons have been updated and color contrast has been enhanced for users with impaired vision.
  • The Team Details page now lists SSO users under Team Members.
  • A new secure, read-only external API lets you programmatically access FinOps Center billing and usage data, so you can integrate Cribl cost and consumption metrics into your own BI dashboards, chargeback, and automated reporting.
  • In the FinOps Center, a new Global Date Range picker lets you set the date range for all of your billing graphs in the FinOps Center at one time, reducing the number of clicks and saving you just a little time for more important work.
  • Your Organization role(s) now appear under your name in the account menu, so you can see your role without navigating to Members & Teams.

Sources and Destinations

  • The Amazon Kinesis Data Streams Source now distributes shards more evenly across all available Worker Processes.
  • The Claude Compliance API Source has been expanded with additional endpoint coverage.
  • Cribl Stream now features high-availability Collectors, keeping scheduled Collector jobs running during a Leader outage by electing a temporary Worker Captain in an eligible Worker Group. On the latest release, this capability is automatic for Cribl-managed Worker Nodes in Cribl.Cloud and opt-in for on-prem and hybrid Worker Groups.
  • The Datadog Source and Destination now support APM client stats alongside traces.
  • The Microsoft Graph Source now exposes a custom Event Breaker option for Message Trace collection.
  • The Oracle DB Collector now supports mutual TLS (mTLS) authentication when using Oracle THIN mode.
  • The REST Collector now supports OAuth refresh token flows. Access tokens are cached and reused across Collector runs until they expire rather than being minted on every request, and the Collector can automatically obtain a new refresh token when the current one expires or is consumed.
  • The S3 Collector now supports .zip files, automatically decompressing and parsing their contents into individual events. This allows you to ingest archived data stored in .zip format directly from S3 without requiring external pre-processing steps such as Lambda functions.
  • The S3 Source now supports independent IAM role configurations for SQS queue polling and S3 object reads.
  • The Alibaba OSS Destination now supports multiple authentication methods for both IAM-based and cross-account deployments.
  • The SNMP Destination now supports an option to preserve the original source device’s IP address when forwarding traps.

Important Changes

Breaking Change: Selected Cribl API Endpoints for Pipelines, Routes, Profiler, and Job Logs Now Return Correct HTTP Status Codes

Endpoints that previously returned HTTP 500 Internal Server Error for client error conditions now return the correct 4xx status codes. This change reduces false-positive 5xx alerts and lets API clients distinguish bad requests from server failures.

What you need to do:

For the endpoints in the following table, update any automation that treats 500 Internal Server Error as the signal for the specified condition to handle 400 Bad Request or 404 Not Found instead. Error messages and response bodies are unchanged; only the HTTP status codes differ.

EndpointConditionCorrected HTTP status code
POST /pipelinesInvalid Pipeline or Function schema400
PATCH /pipelines/{id}Invalid Pipeline or Function schema400
PATCH /routes/{id}Invalid Route schema400
POST /system/profilerWorker Process not registered404
DELETE /system/profiler/{id}Profile not found404
GET /system/jobs/logs/{id}/{groupId}Job or log files not found404

Breaking Change: Single-Item GET Requests Return HTTP 404 for Unknown IDs in On-Prem Deployments

In on-prem deployments, CRUD-style GET-by-ID operations in the Cribl API now return HTTP 404 Not Found when the requested resource ID does not exist. Previously, those operations returned HTTP 200 OK with an empty items array and count: 0. This change applies to the following endpoint paths:

/admin/products/{product}/mappings/search/dashboard-categories
/alert/monitors/search/dashboards
/alert/silences/search/dataset-provider-types
/fleet-mappings/search/datatypes
/lib/grok/search/federated_search/engines
/lib/mdt-devices/search/jobs
/lib/parsers/search/local_search/dataset-rulesets
/lib/protobuf-libraries/search/local_search/datatype-rulesets
/lib/regex/search/local_search/engines
/lib/sds-rules/search/macros
/lib/sds-rulesets/search/notebook-templates
/mappings/search/notebooks
/notification-policies/search/usage-groups
/notifications/system/instance
/pack/system/internal-groups
/products/aetos/config-profiles/system/keys
/products/aetos/monitors/system/messages
/products/aetos/shared-configs/system/policies
/products/lake/lakes/{lakeId}/config/system/samples
/products/lake/lakes/{lakeId}/direct-access/system/scripts
/products/lake/lakes/{lakeId}/metrics/system/users

This change applies only for unknown resource ID values. If a resource ID exists but the API cannot return it due to filters, the request still returns HTTP 200 OK with an empty items array and count: 0.

What you need to do:

In on-prem deployments, for the listed endpoint paths, update API clients that treat HTTP 200 OK with an empty items array and count: 0 as “not found” to handle HTTP 404 Not Found instead. To confirm that an operation returns HTTP 404 Not Found for an unknown ID before updating clients, send a GET-by-ID request with a deliberately invalid ID.

Deprecation Notice: Disable Node Persistence

The Disable Node persistence setting is deprecated and will be removed in a future release. Node information is persisted by default. Use the Worker Group/Fleet-level Time to keep disconnected Nodes setting to control how long Nodes are tracked.

Notice: End of Support and End of Life for CentOS 7

Cribl has officially transitioned CentOS 7 to End of Support (EOS) and End of Life (EOL) for all on-premises deployments for Cribl Stream/Edge Leader and Worker/Edge Nodes. This milestone follows the deprecation notice introduced in Cribl Stream 4.9 and adheres to our standard product lifecycle policy.

Cribl will no longer provide new feature updates, bug fixes, or security patches for Leaders and Worker/Edge Nodes running on CentOS 7.

To maintain uninterrupted enterprise support and safeguard your data pipelines, migrate your on-prem Cribl infrastructure to a supported, modern Linux distribution (such as RHEL 9) as soon as possible.

Notice: Future Removal of AppScope Source

The AppScope Source is in End of Support (EOS) and will be removed from Cribl Stream in a future release.

Corrections

Operational Fixes

IDDescription
PLAT-12786
Fixed a memory leak that could cause steady heap growth when inter-process RPC calls timed out.
PLAT-7290Fixed an issue in Cribl.Cloud where users with the Admin Workspace Permission through an SSO-mapped Team could not access the Workspace tab in the sidebar.
PLAT-11447Fixed an issue in Cribl.Cloud where logging back in after a session timeout redirected every open browser tab to the same page instead of restoring each tab to the page you were viewing before logout.
CRIBL-39583Fixed an issue where the GeoIP Function in a Pack returned a file not found error when referencing a global Worker Group or Fleet MMDB file using the cribl. prefix.
CRIBL-41261Fixed an issue where the Sources and Destinations status pages could hang indefinitely when any Worker/Node process was unresponsive.
CRIBL-42079The status icon (grey circle) indicating that no Source or Destination metrics are being collected now correctly navigates to the Sources or Destinations page.
CRIBL-41304Fixed an incorrect Default Worker Group label in Cribl Edge and Cribl Outpost settings.
CRIBL-42006Fixed an issue where you could not restart Worker processes from the Worker Processes tab when connected to a hybrid Worker in Cribl.Cloud.
CRIBL-42068Fixed an issue where Worker Process count stayed at the free-tier limit of 10 after the Leader reconnected and a valid license was restored.
CRIBL-42072Fixed an issue where the Pipeline selector in a Project connection view did not show the active Pipeline as selected, even though the correct Pipeline was configured.
CRIBL-42079Fixed an issue where the status icon indicating that no Source or Destination metrics are being collected did not navigate to the Sources or Destinations page when clicked.
CRIBL-42599Fixed an issue where the Outpost Info tab displayed incorrect labels instead of the Stream version and Worker Group.

Source and Destination Fixes

IDDescription
CRIBL-37299
Fixed a dashboard issue where blocked status did not clear correctly after backpressure resolved.
CRIBL-42014Fixed an issue where a Syslog TCP Source with load balancing enabled could stop delivering data after a Worker restart and remain stuck until the Source was disabled and re-enabled.
CRIBL-42020Fixed an issue where the REST Collector’s Response Body pagination mode stopped working when the API returned a top-level JSON array. The pagination stop expression would not evaluate correctly against the array response, causing the Collector to continue paginating until it reached the maxPages limit rather than stopping as configured.
CRIBL-42291Fixed an S2S v4 issue where recycled channel IDs inherited stale metadata from their previous registration, causing events to be routed to the wrong Splunk index. This happened when forwarders exceeded the 300-channel limit and reused channel slots on the same connection.
CRIBL-42294Fixed an issue with the Splunk Load Balanced destination where the Stream landing page error badge counted each individual indexer endpoint as a separate destination error.
CRIBL-42643Fixed an issue where SQS-based sources could hang indefinitely on a stalled TCP connection.
CRIBL-42875Fixed an issue in file-system-based destinations where a failed upload could cause orphan recovery to re-compress already-compressed files.

SDK Changelogs

The Cribl SDKs help you integrate with Cribl and reduce the need for repetitive tasks. We maintain changelogs for each version of the Cribl SDKs in their GitHub repositories: