Product Updates

Edge - Preserve metadata from Edge nodes when forwarding to Cribl Stream View Pack

- Provide K=V cleanup and (example) filters for Cisco Meraki logs View Pack

Search - This pack is to help display all worker groups, routes, pipelines, and packs in one location View Pack

Stream - Route to DeepTempo S3 to identify malicious behavior in NetFlow via DeepTempo's foundational LogLM View Pack

Stream - This pack retrieves proxied Webex audit logs. These logs must be proxied as Webex tokens are only good for 1 days. The VisiCire platform handles token refreshes and securely proxies events to Cribl. View Pack

Stream, Edge - Clean and parse Infoblox logs View Pack

Search - This pack provides visibility into Windows event logs, system_state, process events and AD logs. It highlights performance and security signals at a glance, helping teams quickly spot anomalies. View Pack

- Collector Pack to process Netskope Alerts and Events View Pack

This release focuses on performance, and usability across the platform. Here’s a quick taste:Stream / Edge• Breadcrumbs added to the Outpost page• Deprecation warnings for Sources and Destinations, with guided migration paths• Pipeline Simple Preview capped at 10 MB for better stability• Cleaner defaults: new Worker Groups, Fleets, and Packs no longer auto-create vars.yml• Cribl HTTP Destination now supports per-worker throttling• Azure Blob Storage now supports Azure Government• Sensitive environment variables are now redacted in Edge system viewsSearch• Faster ipv4_is_private performance• Clear error messages for encrypt/decrypt functions• Improved event details and saved search usability• One-click copy for item names and IDsLake• UI fixes for Dataset sizes and long Storage Location names, plus stability improvementsThese are just the highlights—check out the full release notes for Stream, Edge, Search, and Lake.Cribl.Cloud customers are already upgraded—just click Deploy.On-prem customers can download the update now.

This release is packed with ooey-gooey goodness across the entire product suite. Here’s a taste:Stream /   EdgeNew Cloudflare Source and R2 Destination New Databricks Destination for Unity Catalog volumes Send Cribl Stream/Edge data to Microsoft Fabric Eventstreams C.Decode and C.Encode now support MIME RFC 2047 Syslog Destination can now preserve original source IPSearchSearch Notebooks now GA Selectively decrypt Stream-encrypted fields  The 'export' operator can now write to Lake Datasets in external Storage LocationsLakeKMS bucket-level encryption on an AWS S3 bucketsThese are just the highlights—check out all the updates in the full release notes for Search, Stream, Edge, LakeIf you are using Cribl.Cloud, you have already been upgraded to the latest version. You just need to click "deploy" in your cloud instance.On-prem customers can get the update at this link.

We’ve rolled out updates across the entire Cribl Suite — here’s some hi-lights:Stream /   EdgeFresh unified Cloud home page New IAM Admin role for smoother org & SSO management Added Google Cloud Chronicle destination SearchSmarter, more flexible Notebooks New activity graphs to track workspace usageLakeAdded activity graphs + IAM Admin role Performance and UI polish throughoutYou can check out all the changes in the release notes: Search, Stream, Edge, LakeIf you are using Cribl.Cloud, you have already been upgraded to the latest version. You just need to click "deploy" in your cloud instance.On-prem customers can get the update at this link. (

StreamCribl Guard: Scan and mask sensitive data in real-time to keep compliance off your back.Wiz Webhook Source: Easily pull in Wiz Defend alerts.Expanded I/O Monitoring: Instant clarity on pipeline health.Collector Packs: You can now build Packs that include all collector sources.EdgeOutpost (Preview): Secure relay between Edge nodes and the Leader, no extra proxies needed.macOS Support (Preview): Edge now runs on macOS devices.SearchNotebooks (Preview): Code + charts + history = faster investigations.LakeBring Your Own Storage: Use your own Amazon S3 buckets for Lake Datasets.Direct Access: Ingest data straight into Lake over HTTP.Faster Queries by Default: Lakehouse queries now run directly in Lakehouse for quicker results.PlatformNew Cribl.Cloud regions: Zurich & Singapore.Terraform Provider (Preview): IaC your Cribl resources.You can check out all the changes in the release notes: Search, Stream, Edge, LakeIf you are using Cribl.Cloud, you have already been upgraded to the latest version. You just need to click "deploy" in your cloud instance.On-prem customers can get the update at this link.   

This release resolves critical v4.13.1 issues affecting S3 destinations  (Region detection, Object Lock) and AWS KMS secret decryption.Full details in the release notes 

A few highlights:Search • Move saved searches, macros & lookups between Packs and global context. • Cloned Pack dashboards save where you cloned them from (within Pack or global).StreamSources and Destinations: • Kafka & Confluent: JSON schema support (Avro or JSON) • Grafana & Loki: Structured metadata for logs (trace IDs, etc.) • Loki: Allows dynamic HTTP headers per event • Google Pub/Sub: Monitor with just subscription IDPacks: • New REST Packs: CrowdStrike, Okta, Microsoft O365Edge • Same Kafka, Confluent, Grafana & Loki updates — at the edgeAction Required – AWS SDK v2 End of Support AWS ends support for SDK v2 on Sept 8, 2025. Upgrade to 4.13.1+ for SDK v3 and full compatibility.You can check out all the changes in the release notes: Search, Stream, Edge, LakeIf you are using Cribl.Cloud, you have already been upgraded to the latest version. You just need to click "deploy" in your cloud instance.On-prem customers can get the update at this link. 

Cribl Stream New SentinelOne AI SIEM Destination: Send data directly for faster, flexible ingestion. Better Worker Node Tracking: See connection status, last heartbeat, filter by state, and set retention for disconnected nodes. Drop Dimensions: Cut storage costs and speed up queries by dropping unused metric dimensions. Cribl Edge Bye PowerShell: No more dependency = faster, smoother deployments. Disconnected Edge Node Tracking: Just like Stream—know if your nodes are online, offline, or MIA. Cribl Lake Bigger Lakehouses: Up to 28 TB/day ingest + hydrate old data for faster investigations. Splunk DDSS Now GA: Directly ingest archive data from Splunk Cloud. Cribl Search Skip Event-Time Filtering: Prevent gaps by filtering on partition timestamps. Read Archived S3: Search restored Glacier data without permanent rehydration. Platform New FinOps Center: Track data costs, refunds, and ROI all in one place. Copilot Editor: Now edit existing Pipelines, with more schema support and UX improvements. Check out all the details in the release notes for Search, Stream, Edge, LakeCribl.Cloud users are already on the latest—just click Deploy.On-prem? Grab the update here.

The latest and greatest in Cribl 4.11 brings you a brand-new Lakehouse offering, turbocharged EPS ingest, and greater invoice breakdowns by product. But wait, there’s more! Here’s what else is making waves this release:    LakeQuickly spin up dedicated datasets in Lakehouse to run fast, flexible searches on your freshest data for real-time analysis. No more compromising performance for budget, no complex schema management, and no data engineering expertise required.       StreamEnhancements to Metrics UX include the new Metrics Pipeline Builder to simplify processing metrics,  and automate aggregations. Goodbye excess noise, hello cleaner, more actionable metrics! Optimize data transmission with Splunk S2S Compression! Stream now supports compressed data transfers for Splunk TCP Source, Single Instance Destination, and Splunk LB Destination. Boost speed and efficiency with data flows while maintaining full compatibility with your Splunk setup. Optimized Kubernetes Performance for Stream/Edge with Helm charts that now include the CRIBL_K8S_CPU_LIMIT environment variable, auto-aligning Worker Process count with allocated CPU for better stability. Plus, a boost in default resource limits!  EdgeIncreased EPS ingest to 40,000 in the Kubernetes Logs Source with optional load balancing and the ability to scale Worker Processes for improved performance. New Kubernetes Explorer delivers a visual interface for exploring clusters, simplifying source configurations by allowing you to inspect nodes, pods, and containers for enhanced visibility and easier troubleshooting. Windows Server 2025 Support provides for greater deployment flexibility.  SearchCopilot now suggests KQL queries and visualizations tailored to your most recently used dataset, eliminating guesswork and helping you jumpstart analysis with smarter, more efficient exploration.  With Lakehouse, Cribl Search empowers you to search data anywhere, at any speed — whether it’s data-in-place, archived in Cribl Lake, or real-time data at lightning-fast speeds. More options with Search Pricing! Your data, your choice: CPU-based pricing based on usage (existing) Subscription-based pricing based on monthly flat-rate (new) Fixed-priced Lakehouse searching (newest)   PlatformInvoice breakdowns by product let you see exactly how credits are being used in your monthly invoice. Track trends, monitor usage, and manage your Crib.Cloud bill with complete transparency.  You can check out all the changes in the release notes One more thing — we’ve redesigned Cribl Docs to have more pizzazz. Learn about all these new capabilities and master Cribl faster than ever! Check.it.out.  

See the latest updates at these links:Stream Release NotesEdge Release NotesSearch Release NotesLake Release Notes