Cribl Search 4.18.2 (Coming Soon)

PRODUCT	DATE	RELEASE	ADDITIONAL RESOURCES
Search	2026-06-24	Maintenance	Known Issues, Cribl Lake Release Notes

Summary

Cribl Search 4.18.2 improves investigations, adds the Azure Log Analytics Dataset Provider, adds several enhancements to the Generic HTTP Dataset Provider, extracts fields from JSON in _raw for Lake v2 Datasets, and delivers multiple stability and performance improvements.

Important Changes

Breaking Change: Single-item GET requests return HTTP 404 for unknown IDs in Cribl.Cloud

In Cribl.Cloud, CRUD-style GET-by-ID operations in the Cribl API now return HTTP 404 Not Found when the requested resource ID does not exist. Previously, those operations returned HTTP 200 OK with an empty items array and count: 0.

This change applies only for unknown resource id values. If a resource id exists but the API cannot return it due to filters, the request still returns HTTP 200 OK with an empty items array and count: 0.

What you need to do:

In Cribl.Cloud, for the affected endpoint paths, update API clients that treat HTTP 200 OK with an empty items array and count: 0 as “not found” to handle HTTP 404 Not Found instead. To confirm that an operation returns HTTP 404 Not Found for an unknown id before updating clients, send a GET-by-ID request with a deliberately invalid id.

Expand the following section for a list of the affected endpoint paths.

List of affected endpoint paths

/admin/products/{product}/mappings
/alert/monitors
/alert/silences
/fleet-mappings
/lib/grok
/lib/mdt-devices
/lib/parsers
/lib/protobuf-libraries
/lib/regex
/lib/sds-rules
/lib/sds-rulesets
/mappings
/notification-policies
/notifications
/pack
/products/aetos/config-profiles
/products/aetos/monitors
/products/aetos/shared-configs
/products/lake/lakes/{lakeId}/config
/products/lake/lakes/{lakeId}/direct-access
/products/lake/lakes/{lakeId}/metrics
/search/dashboard-categories
/search/dashboards
/search/dataset-provider-types
/search/datatypes
/search/federated_search/engines
/search/jobs
/search/local_search/dataset-rulesets
/search/local_search/datatype-rulesets
/search/local_search/engines
/search/macros
/search/notebook-templates
/search/notebooks
/search/usage-groups
/system/instance
/system/internal-groups
/system/keys
/system/messages
/system/policies
/system/samples
/system/scripts
/system/users

New Features

Investigations Updates

This release enhances the investigations interface. The web search tool now requires user consent before sending data to protect sensitive logs. During response generation, the Send button becomes a Stop button for easy cancellation. The AI assistant now supports user-created Datasets alongside built-in defaults. Additionally, the chat input now includes a direct link to MCP integration settings, complemented by overall UI consistency improvements.

Comment-Only Queries Are Now Blocked Before Execution

Cribl Search now prevents accidental searches when your query contains only comments. Instead of running the query and returning an error, Search validates the query before execution and surfaces a clear message, saving time and avoiding confusion when you’re iterating on queries by commenting lines out.

JavaScript Expressions in POST Request Body

The POST request body field in the Generic HTTP API Dataset Provider now accepts JavaScript expressions in addition to plain JSON, enabling conditional logic such as cursor-based pagination. Existing JSON bodies continue to work without changes. The Content-Type header is no longer auto-populated on save, and invalid expressions are surfaced as validation errors in the editor.

Azure Log Analytics

You can now search Azure Log Analytics workspaces by setting up Azure Log Analytics Dataset Providers and Datasets.

Lake v2 Datasets Now Parse JSON in `_raw`

Lake v2 Datasets now parse and extract fields from valid JSON stored in _raw, matching the behavior of Lake v1 Datasets.

Dynamic Search Concurrency (Opt-In)

Cribl Search can now autoscale the allowed number of concurrent searches, based on current load. This can replace the static cap with a feedback loop that grows when there’s headroom and shrinks under pressure.

Contact your Cribl account team before enabling this feature to get help choosing the best configuration for your workload. For more details, see dynamic search concurrency.

Dynamic `let` Variables in `in` Operators

You can now reference a let variable bound to a dynamic(...) array or scalar in the value list of the in, !in, in~, and !in~ operators. See Dynamic Values in in Operators.

let allowedMethods = dynamic(["GET", "POST", "PUT"]);

dataset="cribl_search_sample"
 | where method in (allowedMethods)

Full-Text Search Index for Lakehouse Engines

Lakehouse engines can now use a full-text search index that dramatically speeds up searches for alphanumeric tokens in _raw. This is a performance optimization rather than a new capability: when the index is used, Search resolves these searches against an inverted index of _raw instead of scanning every event.

In 4.18.2, the index is off by default. To use it, run set token_search="on"; before a search, or enable it globally. This default may change in a future release.

The following restrictions apply:

The Dataset must have been created in the 4.17.1 release or later. For Datasets created before 4.17.1, only data ingested after May 21, 2026 is indexed.
The search term must be the complete alphanumeric string. Substrings and wildcards are not supported.
Only the search terms in the initial filter use the index. Filters that appear after subsequent operations don’t use the token search.

Usage Group Results Limit Warning

When a search reaches the Results limit set by a Usage Group, Cribl Search now displays a warning in the results toolbar indicating that results may be incomplete.

Corrections

ID	Description
SEARCH-9874	When typing `\| timestats span=1m`, autocomplete no longer incorrectly inserts `avg()` directly after the span value when you press Enter.
SEARCH-10016	Dashboard queries that reference Input variables (for example, `timestats span=$span$ count()`) no longer trigger a syntax error.
SEARCH-10608	The Status column filter in Search History is now case-insensitive and accepts both US and UK spellings (for example, `Canceled` and `Cancelled` both work).
SEARCH-11493	Exporting results to CSV now includes all columns visible in the results table, not just a subset.
SEARCH-13543	When using the Date Range option in the timepicker, Search now automatically sets the milliseconds component to `.000` for the start time and `.999` for the end time. This prevents excluding the last second of the selected range.
SEARCH-13602	The Sampling configuration is now preserved when adding a query to a Notebook or Dashboard from Search Home, and when opening a query from a Notebook or Dashboard.
SEARCH-13811	Fixed an intermittent query failure (`Code 49 / LOGICAL_ERROR: Invalid status NotActive for associated output`) that affected searches against Amazon S3 Datasets storing data with CSV, VPC Flow Logs, and Parquet datatypes.
SEARCH-13996	Concurrent search limits for Usage Groups are now always enforced correctly.

SDK Changelogs

The Cribl SDKs help you integrate with Cribl and reduce the need for repetitive tasks. We maintain changelogs for each version of the Cribl SDKs in their GitHub repositories:

Go SDK changelogs: control plane and management plane
Python SDK changelogs: control plane and management plane
Typescript SDK changelogs: control plane and management plane

Cribl Search 4.18.2 (Coming Soon) ​

Summary ​

Important Changes ​

Breaking Change: Single-item GET requests return HTTP 404 for unknown IDs in Cribl.Cloud ​

New Features ​

Investigations Updates ​

Comment-Only Queries Are Now Blocked Before Execution ​

JavaScript Expressions in POST Request Body ​

Azure Log Analytics ​

Lake v2 Datasets Now Parse JSON in _raw ​

Dynamic Search Concurrency (Opt-In) ​

Dynamic let Variables in in Operators ​

Full-Text Search Index for Lakehouse Engines ​

Usage Group Results Limit Warning ​

Corrections ​

SDK Changelogs ​

Common Resources