CriblVision v4.1.1

CriblVision v4.1.1 contains some quality of life updates to dashboards:

• The Health Check dashboard has been updated to use metric sources for CPU and Memory panels to improve performance.
• All relevant dashboards have been updated to include a Bytes Unit dropdown that allows the user to select the bytes unit measurement used on that dashboard. This defaults to GB.

CriblVision v4.1.0

CriblVision version 4.1.0 comes with a new dashboard detailing reductions made in event size/amount by Routes and Pipelines!

It provides an overview of the total reductions made, as well as a view of reductions over time. Time series panels are overlayed with commit history to show how previous commits may have impacted reduction amounts. If you have the Cribl Redux Stats Pack installed in your environment, this dashboard also provides options for reporting these stats too!

This new dashboard is accessible via the Configuration dropdown in the CriblVision navigation bar.

CriblVision v4.0.0

CriblVision v4.0.0 comes with updates that utilize the new CriblVision for Splunk Pack! The Pack contains templates for REST API Collector jobs that can be run against the Cribl Stream API to retrieve additional context on Leaders, Workers, Single, and Edge Nodes. These events are used by the Populate Cribl Stream Asset Lookup Report to more accurately define the instance types of each Cribl Stream/Edge instance. The precedence for determining the instance type is now:

1. Data obtained through the REST API.
2. The previously inferred instance type.
3. The instance type as calculated from the retrieved logs/metrics.
   If you are not using the CriblVision for Splunk Pack and utilizing the REST API Collector jobs, it is possible to update the cribl_stream_assets lookup file directly to set the instance type as desired.

This release comes with support to filter on Fleets and individual Edge Nodes on each of the relevant dashboards. On top of this, the following dashboard changes have also been made:

• The Active vs Total panels on the Cribl Stream Assets dashboard now drilldown to a breakdown by environment.
• If the Splunk App for Lookup File Editing is installed, a link to the cribl_stream_assets lookup file is included at the bottom of the Cribl Stream Assets dashboard for easy editing.
• The Persistent Queue Analytics dashboard has been updated to include both Source and Destination persistent queues.

CriblVision v3.2.2

CriblVision 3.2.2 is a maintenance release to fix how memory usage is getting calculated. Previously aggregations where being done per worker process, which was reporting less memory usage than expected. These calculations have been updated to sum the memory usage per worker process before continuing with further aggregations.

To ensure that your dashboards and alerts work smoothly when upgrading to version 3.x from version 2.x, please do the following:

1. Install version 3.x of CriblVision
2. Run the CriblVision setup age again:
   1. From the Apps dropdown, select Manage Apps
   2. Selected the Set up action for CriblVision
   3. Follow the instructions on the setup page
3. Run the Populate Cribl Stream Assets Lookup report by either:
   • Clicking the button on the landing page
   • Clicking the link in the navigation bar
4. Double check that any alerts that were enabled are still enabled

If there are issues after completing these steps, you may need to clear your browser cache to clear cached scripts in Splunk. Clear the browser cache and follow from instructions from step 2 onwards.

These instructions are also available in the README. For installing the application by means other than the UI, please refer to the README configuration notes to apply the required configuration.

CriblVision v3.2.1

CriblVision v3.2.1 is a maintenance release to do some tidy up of alerts:

• Fixed a typo in the CPU Usage Over Threshold alert
• Removed unnecessary fields from alert outputs

To ensure that your dashboards and alerts work smoothly when upgrading to version 3.x from version 2.x, please do the following:

1. Install version 3.x of CriblVision
2. Run the CriblVision setup age again:
   1. From the Apps dropdown, select Manage Apps
   2. Selected the Set up action for CriblVision
   3. Follow the instructions on the setup page
3. Run the Populate Cribl Stream Assets Lookup report by either:
   • Clicking the button on the landing page
   • Clicking the link in the navigation bar
4. Double check that any alerts that were enabled are still enabled

If there are issues after completing these steps, you may need to clear your browser cache to clear cached scripts in Splunk. Clear the browser cache and follow from instructions from step 2 onwards.

These instructions are also available in the README. For installing the application by means other than the UI, please refer to the README configuration notes to apply the required configuration.

CriblVision v3.2.0

CriblVision v3.2.0 introduces a new dashboard for troubleshooting Cribl Stream instances that may be dropping events or experiencing subsecond timestamp issues when forwarding to Splunk using the S2S protocol. This dashboard can be accessed from the Configuration dropdown on the CriblVision navigation menu, or there is a link to it from the Welcome page under the Logs and Metrics section.

To ensure that your dashboards and alerts work smoothly when upgrading to version 3.x from version 2.x, please do the following:

1. Install version 3.x of CriblVision
2. Run the CriblVision setup age again:
   1. From the Apps dropdown, select Manage Apps
   2. Selected the Set up action for CriblVision
   3. Follow the instructions on the setup page
3. Run the Populate Cribl Stream Assets Lookup report by either:
   • Clicking the button on the landing page
   • Clicking the link in the navigation bar
4. Double check that any alerts that were enabled are still enabled

If there are issues after completing these steps, you may need to clear your browser cache to clear cached scripts in Splunk. Clear the browser cache and follow from instructions from step 2 onwards.

These instructions are also available in the README. For installing the application by means other than the UI, please refer to the README configuration notes to apply the required configuration.

CriblVision v3.1.0

CriblVision v3.1.0 introduces a new environment filter across the dashboards. If you're tagging your internal Cribl Stream logs with an environment field, you can utilise this to filter dashboards results by environment. If you're not, instances are marked with a generic environment on the dashboards and won't impact your dashboard usage.

A new macro has been introduced to facilitate this. Update the set_cribl_environment_field_name macro to be the name of your Cribl Stream environment field and the asset lookup will be populated with this information the next time the asset populating report is run.

To ensure that your dashboards and alerts work smoothly when upgrading to version 3.x from version 2.x, please do the following:

1. Install version 3.x of CriblVision
2. Run the CriblVision setup age again:
   1. From the Apps dropdown, select Manage Apps
   2. Selected the Set up action for CriblVision
   3. Follow the instructions on the setup page
3. Run the Populate Cribl Stream Assets Lookup report by either:
   • Clicking the button on the landing page
   • Clicking the link in the navigation bar
4. Double check that any alerts that were enabled are still enabled

If there are issues after completing these steps, you may need to clear your browser cache to clear cached scripts in Splunk. Clear the browser cache and follow from instructions from step 2 onwards.

These instructions are also available in the README. For installing the application by means other than the UI, please refer to the README configuration notes to apply the required configuration.

CriblVision v3.0.1

CriblVision v3.0.1 includes some fixes for the following alerts:

• Blocked Destinations: Updated to include the output in the results
• No Inputs From Source: Updated to include a threshold filter
• No Output From Destinations: Updated to include the output in the results
• Persistent Queue Initialized: Updated to include a threshold filter

To ensure that your dashboards and alerts work smoothly when upgrading to version 3.x from version 2.x, please do the following:

1. Install version 3.x of CriblVision
2. Run the CriblVision setup age again:
   1. From the Apps dropdown, select Manage Apps
   2. Selected the Set up action for CriblVision
   3. Follow the instructions on the setup page
3. Run the Populate Cribl Stream Assets Lookup report by either:
   • Clicking the button on the landing page
   • Clicking the link in the navigation bar
4. Double check that any alerts that were enabled are still enabled

If there are issues after completing these steps, you may need to clear your browser cache to clear cached scripts in Splunk. Clear the browser cache and follow from instructions from step 2 onwards.

These instructions are also available in the README. For installing the application by means other than the UI, please refer to the README configuration notes to apply the required configuration.

v3.0.0

CriblVision v3.0.0

CriblVision v3.0.0 comes with an overhaul of the monitoring of Cribl Stream instances across your environments. A new assets lookup has been configured to keep track of all your Leader, Worker, and Single Node Cribl Stream instances. With this has come the following changes:

• An overhaul of the dashboards to use the assets lookup when filtering:
  • Filter by instance types (Leader, Worker, or Single), or select individual Worker Groups
  • The Host filter specifies the type of instance each host is
• The new Cribl Stream Assets dashboard, which provides an overview of the active, shutdown, and missing instances across your environments
• Two new alerts to report on missing and/or shutdown Cribl Stream instances
• Updates to alerts to work with Single Node instances
• Improvements to the Setup and Welcome pages
• Fixed the Alerts dropdown on the navigation bar to include all alerts (not just enabled alerts)
• General fixes to dashboards and alerts

With these changes comes some additional steps when upgrading to ensure that your dashboards and alerts work smoothly. If upgrading from version 2.x please do the following:

1. Install version 3.x of CriblVision
2. Run the CriblVision setup age again:
   1. From the Apps dropdown, select Manage Apps
   2. Selected the Set up action for CriblVision
   3. Follow the instructions on the setup page
3. Run the Populate Cribl Stream Assets Lookup report by either:
   • Clicking the button on the landing page
   • Clicking the link in the navigation bar
4. Double check that any alerts that were enabled are still enabled

If there are issues after completing these steps, you may need to clear your browser cache to clear cached scripts in Splunk. Clear the browser cache and follow from instructions from step 2 onwards.

These instructions are also available in the README. For installing the application by means other than the UI, please refer to the README configuration notes to apply the required configuration.

v2.2.0

Alerts have been added for monitoring your Cribl Stream environment from Splunk. The following alerts have been added so far, with more to come!

• Blocked Destinations
• CPU Usage Over Threshold
• Cluster Communication Errors
• Destinations Experiencing Backpressure
• Persistent Queue Initialized
• RSS Memory Usage Within Threshold
• Unhealthy Destinations
• Unhealthy Sources
• Worker Process Restarted
• No Input From Sources
• No Output From Destinations

All alerts are disabled by default and require scheduling alert action(s) to be configured. The alerts use macros to allow for the tweaking of trigger thresholds. Please refer to the README or Welcome page for a full list of the macros used and what their function is.