Cribl Reviews

I'm a SIEM engineer and we use Splunk and other SIEM tools. Since other SIEM tools are too expensive and security teams need different data to come into their SIEM tools, Cribl helps us filter out unwanted logs coming from syslog devices and other networking devices, which saves our license. We save around 2.2 TB every day using Cribl. All our logs go to Splunk, and we have Cribl positioned between our log sources and Splunk as the main function.

We also use Cribl for filtering and sending data to different outputs. One output is Splunk, and others include Kafka topics and different source sites like Pub/Subs, HEC endpoints, Google Pub/Sub, and Amazon S3 buckets for long-term retention of certain logs.

Recently, I have not yet worked with Cribl Cloud in production, but I had an opportunity to get hands-on experience with their lab environment.

I loved the way they created their cloud and their AI capabilities are good there. Another valuable feature of Cribl on-premises is the way it helps us filter out logs. It's a very easy tool to understand for someone new to these things, and it's easy for us to explain to new recruits we hire.

Firewall logs contain a lot of entries that security teams and audit teams don't require. We use filtering and regex in Cribl to remove unwanted logs that no one requires, such as entry logs and in-and-out logs that the syslog and firewall device would send anyway. We only need the threat logs and security logs. We save around 1 to 2 TB of logs every day using Cribl.

Regarding complexity, as I mentioned before, Cribl is very simple to use. When I started 2.5 years ago, it was very easy to learn. I learned Cribl within a week, and even though I was a fresher at the time, it was easy to understand and not complex enough that someone would need to spend money on labs. It's not that complex to learn.

Regarding cost efficiency, it's very good because nowadays the SIEM tools we use are too expensive on license, and SIEM tools base their license on how many logs get ingested. The unwanted logs, particularly firewall logs, represent a significant portion of unnecessary ingestion. Cribl saves our license by filtering out half of the firewall logs that are unwanted. Our main purpose for using Cribl is to save our license and save money.

Currently, everyone is moving toward AI agents. We currently use regex, and AI agents could help us create those regex patterns to drop events or add raw data to events. Currently, we sit down, review the logs, and create regex patterns manually, which can be time-consuming. An AI agent could reduce this time. I read some articles indicating that Cribl Cloud has started using AI and considering MCPs and model context, but I'm not certain how far along they are. If Cribl asked me what they could improve, that would be my suggestion. The support is very good, and I had a few issues with Cribl where I raised support cases and received good responses, which is better than the quick response I didn't get from other SIEM tools and vendor tools I use.

Compared to other SIEM tools, Cribl is cheaper than Splunk and DataDogs. However, it's still a bit expensive from my point of view, though I won't call it expensive. Overall, I think 99% of companies use Cribl before their SIEM tools, and compared to SIEM tools, Cribl is cheaper. Companies can use any SIEM tool such as Google, Splunk, or Cisco, and Cribl is cheaper than those SIEM tools. They might have a slight chance to reduce costs further, but I'm not the correct person to evaluate that since I'm more focused on the operational side.

Regarding training, it was quite easy to grasp. It took me almost a week to understand the basic functionalities and what Cribl does. Getting more expertise took additional time, but basic functionalities and understanding what Cribl does took around four to five days. One point I want to mention is that Cribl could improve their labs or training materials in their Cribl Cloud or whatever portal they have.

I have been using Cribl personally for around 2.5 to 2.8 years. My company has been using it for a longer time, but I joined the company seven months ago, so my hands-on experience with it is around 2.5 to 2.8 years.

Regarding the metric part, I haven't worked much with it, so I can't tell much more about that. However, regarding log volume, it's very good. I have personally used Cribl with 10 to 12 TB of data per day in 24 hours, and I have not found any problem with log latency or ingestion issues, or Cribl not being able to handle this volume. I have not faced such issues on the logging side. On the metric side, I'm too new to provide an answer.

Currently, I haven't seen any instability or latency issues. We tried to boost logs from 4 to 5 TB up to 7 to 10 to 12 TB, and we didn't find any lagging or Cribl going down. We found initially negligible latency, but with the help of their support team, we figured out how to improve our latency. Till now, I haven't seen any outage or severe outage that would require a serious discussion about needing a resource to maintain Cribl. I don't recall the last time we maintained Cribl or checked how it's running. Maintenance is very rare.

Cribl scales very well. I'm not entirely certain about the license aspect since it's based on how much log volume we put in. Initially, we had around 3 to 4 TB of license ingestion, and then we increased it to 8 to 10 TB. We raised a request to increase the license and got a new license with 8 to 10 TB of logs per day ingestion capacity. We were able to scale it very quickly without much effort required. That was a doubling from four to eight or 10 TB, but I have never tried scaling beyond that, and I haven't heard people complaining that Cribl cannot scale up.

The best part about Cribl from a scalability point of view is that it doesn't require much operating system configuration. Otherwise, we need to check every time those servers get patched, and we need to verify that anything changed on the operating system doesn't affect Cribl. That's not happening with Cribl. Any small issue on the operating system end also doesn't impact Cribl. Compared to other SIEM tools I use, any slight change on the operating system end impacts a lot on our SIEM tools and other things, but Cribl performs well in that regard.

The support is very good. I raised a few Cribl support cases for issues I encountered and received good support from them. This is better than the quick response I didn't receive from other SIEM tools and vendor tools I use.

Positive

We have not used license-based tools previously. We tried using Logstash and Fluentd, which are open-source tools, but only for demo purposes. Since those are open-source tools, we cannot compare open-source tools with license-based tools. I never had a chance to work on any license or vendor tool related to Cribl before.

We check the latest version of Cribl and upgrade to the latest version or whatever version we are comfortable with if a new version is available. Overall, we don't see any regular maintenance required. We are using Cribl on our virtual machines, and one good point is that Cribl doesn't require much operating system configuration. Basic operating system configuration can run Cribl. Compared to other SIEM tools that need legitimate operating system configuration and their operating system kernel versions, Cribl is quite friendly in that regard. Simple basic operating system configuration works, and Cribl doesn't need regular maintenance where we need a resource running maintenance tasks every day.

From an engineering view, I would rate Cribl nine out of ten. I'm not certain about the license and pricing aspects, which is the one thing I consider. Overall, I enjoy working with Cribl and would give it an eight to nine rating. However, I'll give it an eight because there are always points of refinement, and nothing is perfect. My overall review rating for this product is eight out of ten.

We generally use Cribl for dropping or optimizing our logs and data. We optimize logs using Cribl pipelines, then we route it to Splunk. That was our primary use case.

Our primary goal with using Cribl was to reduce our Cisco firewall logs where we are dropping the logs which are not necessary in our traffic-related logs, or the logs which generally only show a connection status. Those types of logs we were dropping using Cribl.

What I like most about Cribl is the overall pipeline structure and easiness. It is very easy to use and it also provides all the necessary features which are required in data processing. We do not need to learn so many things to do complex tasks. That's what I really appreciate about it. It's doing a simple process where you just need to know about your logic and that thing may be pre-built on Cribl. Cribl provides packages and all the features.

I would say Cribl provides you the value of your money. It provides you a good user interface where you manage all your data. You don't need to worry about your backend. Specifically, I'm talking about Cribl Cloud, as I have mostly been working with Cribl Cloud. It's very cost-optimized, or I can say whatever I'm paying, I'm getting all out of that.

Overall, the pipelines and all the features are good with Cribl. The UI is good. Just sometimes, when I actually started using Cribl, I faced the issue where I was not able to connect the nodes. The pipeline is structured in a certain way, then the data will be routed to there, and something of that nature. I was very much confused about their whole products, such as Data Lake and pipelines. It's possible that at that time I didn't take any university courses, which is why I did not know much. But if they can give an intro on how we can connect nodes, or they can provide simple use cases showing what you can do with Cribl, it would help. If you just need to add the source and the destination and pre-build some proper workflow, then it will be easy for new customers to navigate through Cribl.

I have been working with Cribl for around one and a half years.

I don't feel Cribl has any issue with handling high volumes of diverse data types. We were ingesting around 10 TB of data daily, and we were reducing it to around six or five and a half terabytes. So it is pretty efficient. We have not faced any major issues with our ingestion or anything of that nature. It has the capability to catch up according to the data ingestion rate.

I have not seen any lagging, crashing, or downtime in Cribl at any particular time. But if I speak about lagging or anything, I faced some issue while capturing the log on the live source. Whenever I tried to capture the logs, I was a bit confused about whether logs are getting captured or if I was doing anything wrong. Because it does not show any error if my configuration is missing or something of that nature. Otherwise, I don't have any issue regarding Cribl performance or anything.

I don't think there is any issue regarding scalability with Cribl. As we were ingesting around 10 terabytes of data every day and it didn't affect or cause any issue on any day.

I would not say I have tried an alternative to Cribl properly. We tried to implement the same use case using Splunk Ingest Processor or Edge Processor, which is the recent product of Splunk. It is not that straightforward as Cribl. We must play in a restricted environment where we have limited support of the Splunk command. So I cannot say that it is actually similar to Cribl or something of that nature, and I have not used any others.

I was able to create one simple pipeline with Cribl which was just dropping the data in around eight to twelve hours total. In which I basically understood what routes and pipelines are. I was playing with the UI and how the functions are working, how the pipeline flows the data, how can I duplicate the data, how can I drop, how can I null queue, and things of that nature.

I have been working with Cribl for three years now. Cribl was introduced some time ago but has been recently highlighted in the market, and people in my firm started using it.

I lead an engineering domain in my firm, and I am leading almost six to seven projects, all of which have Cribl at this moment. Before Cribl, we used a syslog forwarder to forward third-party logs to our SIEM solution. In some cases, the SIEM solution is Sentinel, and in other cases, it is Splunk. We used the syslog forwarder to have these logs normalized and sent into the Sentinel workspace via syslog forwarder. However, once Cribl was introduced, we have seen several advantageous features that are not available in the syslog forwarder for normalization but are readily available in Cribl. Additionally, from the source end, we can perform filtration that was not possible before Cribl was available. Another advantage of Cribl is that we can customize the logs and tagging of the logs according to our needs. In summary, there is full control of logs coming from the source end when they are sent into our SIEM solution via Cribl. These three reasons are why we are using Cribl.

We are onboarding firewall logs into our environment using Cribl as well. There are no issues in implementing firewall logs or having those logs into the environment.

We are improving in terms of managing endpoints. We now have a dashboard in Cribl itself. This is improving our time management. However, we have created an internal dashboard on the Sentinel platform which we manage instead of using the Cribl dashboard. We have not leveraged that feature at this moment.

The valuable features are normalization, an easy graphical user interface, and the feature to have multiple pipelines for the same log source. The feature to have multiple pipelines is the most amazing feature of Cribl that I appreciate the most.

These features are beneficial because there are very few options in the market. The initial old school approach was syslog forwarder. Several other tools are available in the market, but those tools do not have as much control capability as Cribl provides. Additionally, Cribl is hosted on the cloud, and most products, solutions, and SIEM platforms nowadays are on the cloud as well. This creates a good integration between the products.

The deployment was smooth across all seven projects I have. Everything was in place, with documents and step-by-step guidance readily available. Cribl support is very good. Whenever we got stuck, we just needed to open a ticket, and the support team was very responsive and helped us get the deployment done quickly.

Cribl should enhance the homepage. The user interface is very simple, and you can see all your workers or worker groups on the homepage itself. However, a layman or someone jumping into the portal for the first time might get confused because they may not be aware of where their log sources are mapped or which worker group their log sources are mapped into. The homepage could be further simplified to address this confusion.

Cribl should work on enhancement of their graphical user interface. They definitely need to work on their pricing. If they address the costing aspect, they are the big players and have a bright scope in the market because they are doing very well. They should find alternative pricing models for small-size firms that want to utilize their features but cannot do so due to cost constraints.

Cribl should work on their turnaround time for support tickets. In my environment, we have AWS, Microsoft, Cribl, and GCP in some cases, so we have different SLAs for different tickets. For Cribl, a very low severity ticket has a turnaround time of almost around twenty-four hours. Even after twenty-four hours, if people follow up, they do respond, but sometimes they take a lot of time to respond even to very simple or small issues. They should improve that turnaround time.

I have heard from someone on LinkedIn that there is a limitation in Cribl, but I have not explored that myself, so I should not make definitive comments about it.

I have been working with Cribl for three years now.

Cribl sometimes behaves unexpectedly, but this is rare. When log volumes are very high, Cribl workers or the servers behind Cribl start behaving weirdly. We have seen ingestion latency in the SIEM platform, and we have also observed sometimes a drop in the logs. Cribl is designed to deal with certain kinds of loads and is not designed to handle any scenario in the market. We need to be very careful when sending huge volumes of logs via Cribl to any SIEM platform.

The turnaround time for support tickets needs improvement. In my environment, I have AWS, Microsoft, Cribl, and GCP in some cases, so I have different SLAs for different tickets. For Cribl, a very low severity ticket has a turnaround time of almost around twenty-four hours. Even after twenty-four hours, if people follow up, they do respond, but sometimes they take a lot of time to respond even to very simple or small issues. Cribl support should work on improving that turnaround time.

Positive

We previously used a syslog forwarder, which is not a tool but an old school methodology. We have now gotten rid of each syslog forwarder, and Cribl has taken over that responsibility.

There are no challenges or complexity with the initial setup. Cribl is hosted on a server itself and is very easy to set up. It hardly takes two to three hours to complete the whole setup from beginning to end. It is not that complex. Documents are available on the internet as open source, and Cribl University has resources available as well. It hardly takes around three hours to get everything set up with all the process and approvals.

The deployment process across all seven projects was smooth. Everything was in place, with documents and step-by-step guidance readily available. Cribl support is very good. Whenever we got stuck, we just needed to open a ticket, and the support team was very responsive and helped us get the deployment done quickly.

The documents were ready, and step-by-step guidance was available. Cribl support is very good. Whenever we got stuck, we just needed to open a ticket, and the support team was very responsive. They reached out to us and helped us get the deployment done very quickly if we got stuck somewhere.

Cribl is a huge investment for a firm like Deloitte. However, we do not have any other good solutions or good options in the market, so we do not have another option to choose from. I have already started exploring alternative solutions that are going to give a cheaper solution. However, we are also not going to compromise with quality. Vega is similar to Cribl and is something I have mentioned. From the ROI perspective, Cribl is a huge investment.

Cribl is a very costly product. The complexity is not an issue because it is very easy to understand. With Cribl University courses, a person who is very new to Cribl can easily grasp the content. Cribl itself has provided many resources on the marketplace that we can leverage. However, in terms of costing, Cribl is a very costly product. People nowadays have started considering alternative solutions. There is a tool called Vega in the market that was very recently introduced. We are also having POC sessions going on there. Cost-wise, Cribl is a costly tool, but complexity-wise, it is a very quick tool to adopt.

Vega is an alternative solution in the market that was very recently introduced, and we are having POC sessions with it.

When comparing both products, Cribl will definitely win in each aspect because we did a POC recently and did not find Vega to be as effective as Cribl. The only point where Vega is winning is in pricing terms. They have very attractive prices. However, we do not want to compromise with quality. Cribl is leading in each aspect. Vega is still lacking the basic things that Cribl already covers. Cribl is much more mature in the market now. Nobody stands very close to Cribl.

I would recommend Cribl to small-scale firms looking for this kind of solution. They should go through some documentation and videos, or they could set up some time with Cribl if they want. Cribl is a good product and tool in the market that can help with normalization, setup, and segregation of logs. However, the challenge people face is the cost. I am okay with this because my firm has a budget and can afford it. For small-scale sectors, I think Cribl needs to come up with one more pricing model, maybe with fewer features, but they should develop alternative pricing options.

Cribl Edge makes the environment very much managed. We have created multiple pipelines, and using those pipelines, we do not need to have any tagging done at the destination level. From the source level itself, within the pipeline, we can map the tags, and the logs are very much managed in the workspace itself. At times of audits and compliance, everything is managed there. It is helpful.

For the Cribl Search feature, I have seen log ingestion problems, latency issues, and sometimes the dropping of logs. Cribl Search comes into the picture to help us understand if we are missing something or having some latency in the logs. It shows us where we have a latency and which root cause is creating the problem, which server is creating the problem, and which worker group is creating the problem. Using Cribl Search makes it more effective for us.

The overall review rating for this product is seven out of ten.

I have used Cribl for log volume reduction with SIEM tools including Splunk, Sentinel, and Elastic. The raw logs contained a lot of noise, and Cribl helped me filter unnecessary logs, drop low-value fields, reduce repetitive logs, and remove unused attributes. I achieved 40 to 80% reduction in existing volume, which resulted in faster searches and good cost savings.

Cribl helped me route the same log streams to multiple destinations based on conditions I wanted to implement. Firewall logs were sorted with error messages. Whenever I received firewall messages, different types of traffic were allowed or denied, and there were threats from malware, scans, IPS, VPN connections, and authentication failures. I added context to the logs that was useful for SOC teams, including geo-location based on asset owners and application names. Since firewall logs were highly verbose and expensive to ingest into the SIEMs, I used Cribl to parse and transform them into structured fields, enriching the geo and asset context. I also dropped noise from the traffic we received and routed only threat and deny logs to the SIEM while storing the rest in S3 for long-term analysis.

Whenever I received high volume log metrics, Cribl proved to be the best solution. Using Cribl, I processed millions of data per second from various sources including firewalls, Kubernetes clusters, cloud platforms, and Prometheus, which is one of the primary sources from which I receive data. Cribl efficiently handles high-volume logs and metrics through horizontal scaling, easy filtering, smart sampling, metric cardinality reduction, and tiered routing. This ensures performance, cost control, and reliable observability even at massive scale. I primarily worked on the scaling part, including auto-scaling, and I also used load balancers to balance the load between worker nodes and the leader node.

Cribl reduces data complexity by normalizing log formats, handling schemas, flattening nested data, and reducing high cardinality fields. I worked with instances where I had different JSON files and set cardinality fields including request ID, session ID, and pod UID. By applying conditional parsing, flattening JSON nesting files, and removing high cardinality fields, I simplified downstream analytics and reduced ingestion cost by almost 60%. In our projects, each team works on particular domains, and I was specifically working with load balancing, auto-scaling, and routing data to destinations. Cribl is one of the most reliable solutions I have worked with, and it has provided a user-friendly experience. Whenever I wanted to access data from years back to check for seasonality impact, Cribl helped me accomplish this. I believe that if this feature works well, the other features will also work seamlessly.

Cribl is one of the best data pipelining platforms, and with all the features that have been upgraded over the past three years, it has been seamless. Although it is on an expensive side compared to competitors such as Edge Delta and many other platforms, Cribl is one of the most secured solutions. When data passes through or when I store any data in hot tier, cold tier, or archive storage, it is very easy to determine which data to keep, and the data routing process is seamless when compared to other platforms.

Regarding the UI, depending on the configuration, the home screen shows me how the system's health is, including the ingestion rates and how events are working in per second. Throughput charts are available, and errors or warnings also pop up. The UI is well-organized for me. Whenever I log into Cribl UI, I directly go to the streams to classify the incoming logs and then create a pipeline using the drag-and-drop builder. I do not need to write full code because it has drag-and-drop functions. I choose functions such as Parse, Eval, Drop, and live events preview to test against sample events. Once this is done, I assign routes to destinations. The particular destinations I worked with include Splunk and Stream. Finally, I monitor the throughput, errors, and metrics dashboard and adjust as needed. Cribl follows a very systematic approach in the UI part, and it is a hassle-free solution for developers to work on.

I have not worked with Cribl Search very much, but I have worked extensively with Cribl Stream. From my certification, I remember that Cribl Search's Search-in-Place feature allows me to query data when it is already living. Without re-ingesting data into a SIEM, I can search it through Cribl dashboards. For example, I keep data in the SIEM for 7 to 14 days, for months or years in object storage. Cribl Search allows federated on-demand logs and metrics. When platforms can access data without ingesting it directly into the SIEM, I can directly use the on-demand function, and it is mainly used for cost-effective historical search or investigations that have already been done in past years. This Cribl Search feature helps me check seasonality impact, such as comparing last year's revenue percentage to this year's revenue. This helps me make better decisions about the market. Since my client is Microsoft and I ingest heavy amounts of data every day, Cribl has been handling this very well.

To improve Cribl, I would focus on comparing performance and architecture with other tools. High volume efficiency can be made more seamless, such as improving the identification of noisy sources via metrics and sampling repetitive logs. This feature already exists, but I am talking about how to make it more efficient. I will focus on the high volume data part, reducing data complexity, making performance metrics more visible, and the dashboard can be more interactive. Integration of AI tools can be much more helpful. I am pretty sure that the developers of Cribl have been working on that and an update will come soon with AI integration. However, I need to ensure that data is secured as much as possible because data security is non-negotiable for data engineers.

Cribl is a very interactive application for me and one of my favorite applications to work on. I hope to have more opportunities to work with Cribl. The cost part is very high compared to alternatives such as Edge Delta, which offers much cheaper prices. However, price comes with a cost, and speed and security come with a price.

Integrating AI is one of the most valuable improvements. It will most likely be Copilot because I do not think OpenAI will agree to integrate with Cribl, or Cloud may also come in, but I believe Copilot will be first. Integration of Copilot will be a big advantage for everyone. I would not need to run scripts or go back to documentation to check function syntax because there are many functions I need to use in day-to-day life, and it is very hard to remember every function syntax. When I integrate AI, it will directly help me get the functions. I just need to provide the prompt needed, extract the data from the Copilot chat, and use it in my day-to-day life. My overall review rating for Cribl is 9 out of 10.

I have been working with Cribl for three years and two months.

I have faced only one or two instances with the login part, but it was due to maintenance. The Cribl platform was not accepting my credentials during that time, but it was resolved quickly. I have not come across any customer-facing issues, so I would not be able to provide additional details on that.

Whenever I received high volume log metrics consistently, Cribl proved to have the best capabilities. Using Cribl, I processed millions of data per second from various sources including firewalls, Kubernetes clusters, cloud platforms, and Prometheus, which is one of the primary sources from which I receive data. Cribl efficiently handles high-volume logs and metrics through horizontal scaling, easy filtering, smart sampling, metric cardinality reduction, and tiered routing. This ensures performance, cost control, and reliable observability even at massive scale. The primary thing I worked on is the scaling part, including auto-scaling, and I also used load balancers to balance the load between worker nodes and the leader node. Auto-scaling is available and automatically adjusts the scaling part.

I have not worked with other solutions directly, but recently I had an opportunity to speak with the Edge Delta founder who wanted me to review Edge Delta versus Cribl. In that discussion, I remembered some points such as high scalability and auto-scaling being features in Cribl and not in Edge Delta, but Edge Delta may be able to compete on price at some point. When they integrate AI, there may be some additional advantages. Since I work for my organization, the organization bears the whole cost, and I have not directly purchased Cribl software. There are some features that could be included in the basic package, similar to Power App tools in Microsoft. There are many advanced features that require paying additional fees. Some basic features could be added directly to the subscription plan rather than being offered as custom configurations or particular add-ons.

The setup was straightforward with no complexity. Every application nowadays has a seamless experience, and three years ago when I was getting into Cribl, it was already very interactive for me. One additional observation is that there are not many learning videos for Cribl on YouTube platforms or free learning platforms other than Cribl University. I think they will slowly integrate into other streaming platforms as well so that it will be more helpful for users to get into the application.

I did not require an implementation team. When I signed up with credentials, I created an account by signing up with all the details and filling out the form using Cribl's payment gateway. I followed the same process as I would for AWS or Azure. I did not use different options to buy from the Azure platform. I received the credentials directly and just logged in with them. When I was getting certification, I was redirected to their website to buy directly, not from any vendor apps.

The most talked about point for Cribl is that it is one of the most seamless applications to work on. The speed at which it processes data and handles high ingestion volumes is why it is one of the most expensive platforms. I have not worked with anything other than Cribl, so I am not able to compare. However, since my client is Microsoft and I ingest heavy amounts of data every day, Cribl has been handling this very well.

I have not worked with Cribl Search very much, but I worked extensively with Cribl Stream. From my certification, I remember that Cribl Search's Search-in-Place feature allows me to query data when it is already living. Without re-ingesting data into a SIEM, I can search it through Cribl dashboards. For example, I keep data in the SIEM for 7 to 14 days, for months or years in object storage. Cribl Search allows federated on-demand logs and metrics. When platforms can access data without ingesting it directly into the SIEM, I can directly use the on-demand function, and it is mainly used for cost-effective historical search or investigations that have already been done in past years. This Cribl Search feature helps me check seasonality impact, such as comparing last year's revenue percentage to this year's revenue. This helps me make better decisions about the market.

To improve Cribl, I would focus on comparing performance and architecture with other tools. High volume efficiency can be made more seamless, such as improving the identification of noisy sources via metrics and sampling repetitive logs. This feature already exists, but I am talking about how to make it more efficient. I will focus on the high volume data part, reducing data complexity, making performance metrics more visible, and the dashboard can be more interactive. Integration of AI tools can be much more helpful. I am pretty sure that the developers of Cribl have been working on that and an update will come soon with AI integration. However, I need to ensure that data is secured as much as possible because data security is non-negotiable for data engineers.

Cribl is a very interactive application for me and one of my favorite applications to work on. I hope to have more opportunities to work with Cribl. The cost part is very high compared to alternatives such as Edge Delta, which offers much cheaper prices. However, price comes with a cost, and speed and security come with a price.

Integrating AI is one of the most valuable improvements. It will most likely be Copilot because I do not think OpenAI will agree to integrate with Cribl, or Cloud may also come in, but I believe Copilot will be first. Integration of Copilot will be a big advantage for everyone. I would not need to run scripts or go back to documentation to check function syntax because there are many functions I need to use in day-to-day life, and it is very hard to remember every function syntax. When I integrate AI, it will directly help me get the functions. I just need to provide the prompt needed, extract the data from the Copilot chat, and use it in my day-to-day life. My overall review rating for Cribl is 9 out of 10.

We started our Cribl journey at the end of 2022, but we have been evaluating Cribl since 2020. We have been using Cribl from the end of 2022 till now, and the use case that brought Cribl into the picture is a critical business application sending its transactional logs into a database which got overwhelmed due to the sheer volume of logs. We evaluated Cribl for that use case, and now it has evolved into much more than just servicing that use case in our organization, making it a three-plus-year journey into Cribl.

Cribl plays the core essential function of handling the data telemetry pipeline in our organization, enhancing the way we collect data and bring logs from different sources. The way we have deployed Cribl is to coexist with our existing toolsets, not replacing them but working alongside them to bring the data faster and easier while managing the licensing and transforming the data from various sources. The easy agentless collection is the first feature that comes to mind as one of the critical features I appreciate the most, along with its versatility to deploy Cribl Stream for agentless collection and Cribl Edge for agented collection wherever necessary.

Collecting data is where Cribl excels, as it allows us to collect data from diverse sources easily and route it to multiple destinations, all while providing the ability to transform or apply any type of redaction on the fly through an easy-to-use UI. The features mentioned, such as easy data collection from different sources, benefit us by allowing us to be agentless wherever possible. In today's IT world, with a hybrid multi-cloud environment, we can't always deploy agents to collect data, so Cribl's agentless collection mechanism helps us get data into our environment quickly.

Cribl has been instrumental in containing our data costs, especially as we use leading log aggregation and SIEM tools known for their heavy licensing costs by ingest. Placing Cribl in our data telemetry pipeline enables us to achieve streaming the same information to multiple destinations, which fast-tracks the way we conduct POCs with various tools in the realm of observability. I saved over $200,000 in licensing by enriching and transforming the data efficiently, dropping unnecessary information and only sending relevant data to our teams.

When discussing Cribl's ability to handle high volumes of diverse data, such as logs and metrics, it plays a pivotal role. It can be deployed as an agentless collector or an agented collector, giving us control over how we collect data from sources more efficiently. We can send data into an S3 or Cribl Lake, which helps control storage costs while providing better retention aligned with our organizational needs. Firewalls produce a lot of data essential for network troubleshooting and security analytics, and handling it with a third-party log aggregation vendor often incurs high licensing and storage costs. With Cribl, we offload firewall logs from our existing log aggregation tool into low-cost storage with higher retention periods, enabling us to search the data directly using Cribl's search functionalities, creating a unified view for our networking and security teams and achieving close to a 40% reduction in firewall logs.

Cribl can improve by providing automated analytics and advanced parsing capabilities since it handles data at its core. I'm particularly interested in innovations such as Cribl Guard for automated PCI and PII masking, and a more stringent role-based access control feature would enhance security and allow granular control over what users can see and access.

I've been working in this industry for over a decade now, close to a 15-year mark, as I started my career as a system administrator and slowly grew into this managerial role. I've stayed close with the current technology I've worked with since my start till now, and for over seven years, I have been in the monitoring and logging area where I have developed myself into this management role.

Cribl's scalability is impressive, playing a vital role in transforming our logging strategy with its vendor-agnostic design. We use a hybrid deployment approach and a pull mechanism for most data sources. Managing data onboarding and transition becomes easier with Cribl, allowing for efficient growth as needs increase.

Cribl's customer service and technical support exceed expectations, with a knowledgeable sales team and service executive who assist in resolving issues swiftly. Most support requests arise from our limited product knowledge rather than product issues, and the Cribl support team resolves queries typically within four hours.

Positive

The biggest return on investment with Cribl is improved handling of data and efficient routing to multiple destinations, saving costs across infrastructure and licensing. Cribl is versatile and continues to develop, allowing us to strategize and manage our observability landscape effectively.

Cribl has been excellent when it comes to pricing, setup cost, and licensing. The team navigates us through their models seamlessly and we adopt Cribl Cloud easily. Within a month's time, we're able to transfer 400 to 500 GB of data from a different logging solution, thus positioning Cribl as a core piece in our telemetry pipeline.

Deploying Cribl is straightforward; we quickly set up our Cribl Cloud tenant and defined the architecture through resident services and core architects. We manage to create a hybrid deployment model efficiently, bringing substantial savings in licensing and infrastructure costs while enhancing our data handling capabilities.

We deploy in a hybrid model, integrating worker nodes and Edge fleet in our enterprise data centers and cloud platforms near our data sources while using Cribl Cloud for management, ensuring limited access to prevent unwanted changes. In our AI journey, we are just getting started, becoming somewhat novice in this area. Cribl has enabled us to lean toward AI by integrating tools such as Copilot, which helps fast-track building pipelines and generating scripts. With Copilot, we see increased productivity, making it a key feature that enhances how we learn and utilize Cribl.

Cribl Search has significantly improved the way we handle and explore data. Initially, we onboarded all networking devices to stream data into low-cost storage, using Cribl Search to query that data, which now gives our networking, security, and operations teams a single data set to query without the need to remember multiple sets. The setup is cost-effective, and the federated method of Cribl Search allows for efficient querying without performance loss, enhancing our analytics capabilities.

Cribl's user interface is straightforward and user-friendly, allowing us to set up data collection sources quickly. It's self-explanatory, helping me navigate and visualize data without relying solely on commands. I appreciate how Cribl's UX caters to users, making tools accessible without needing extensive knowledge transfers. Based on our usage, I would rate Cribl a 10 overall.

Our main use case for Cribl is primarily taking data from all of our different data sources, doing some processing, field extractions, normalizing the data, and then sending it along to our SIM for security incident response and investigation.

My favorite feature of Cribl is just how easy it makes working with the data; it's always been a pain point for us with other solutions, just taking our raw data from the source, transforming and manipulating it into what we need on the SIM side. That's always been a pretty heavy lift, however, Cribl has made that much easier. 

The tools built into the platform allow us to work with the data, see the results in real-time, see what the output's going to look before we commit it, and has really made our job in that respect a lot easier.

The Cribl UI is very simple and easy to use, particularly when working with data from various sources; it makes it very easy to create pipelines, add complex logic to those pipelines, and then gives you a preview of what your data looks like before applying that pipeline and what you get after. 

As we're bringing data in and Cribl's processing it, it makes it very easy to identify subsets of data or certain events that source data that maybe are less useful or just noisy, not really applicable to to what we need what our security team needs, and we're able to just drop those events before they get sent out and and ingested by our SIEM. So that helps keep our data pipeline streamlined, keeps our output clean. It filters out noise, and then it makes our analysis more efficient. That reduces the data volume going into our SIMs, and that reduces and limits the ingest costs associated with that end. With less data, there's less to process when you're running complex searches. So we have charges against those compute resources reduced.

There are opportunities for AI to be incorporated more tightly into Cribl to help build out those pipelines and apply some more complex logic to those transformations could be useful. 

Optimizing CPU utilization on the edge side is something that could be improved; we see, particularly on older hardware and older OSes, Cribl Edge service can eat up quite a bit of CPU resources compared to some other products we've used in the past, indicating there's room for improvement.

We've been using Cribl for about one year.

We have run into a few performance issues and system crashes, mainly due to administrator error; building inefficient pipelines ended up utilizing or over-consuming CPU resources on the worker server, causing some outages. We've worked with Cribl support to resolve those issues, and it's been pretty stable recently. 

As we've only been using Cribl for about a year now, I view many of those issues as part of learning the product and becoming better stewards of the system.

We've only been using Cribl for about a year, so we haven't really seen much expansion and are still in a holding pattern. However, leveraging cloud resources does provide the ability to scale; we can provision additional servers on-prem to handle more data load as we scale up and bring on more resources, so I'm confident we'll be able to meet our future demands.

When we've had issues with Cribl, the support we've received has been fantastic; they've been very responsive. 

Our account team has stayed on top of the issues we've submitted, and all of the technicians we've worked with have been very knowledgeable, so we've been very happy with Cribl support overall. 

On a scale of one to ten, I would give customer service a nine; I'm hesitant to say ten out of principle. There's always room for improvement. 

The technicians we've been paired with on the cases we've submitted have all been knowledgeable and responsive. Our account team has been great, and when we've raised questions or concerns, they're quick to provide assistance.

Positive

Our primary driver behind implementing Cribl was the need to normalize our data with our existing SIM solution at the time; we had numerous problems making it easily searchable and analyzable. With our previous solution, we easily onboard new data sources, however, as we did that, we weren't necessarily taking the time to properly extract the fields out of that data that we needed. 

Consequently, we ended up with a lot of data that was either not helpful or just not usable at all, which just consumed costs and space. Cribl addresses this by allowing us to easily create those pipelines and manipulate the data so that we could reduce the amount of information that we're ingesting that was not useful.

Overall, the deployment of Cribl was very easy. We did not really run into too many challenges at all. 

We deployed a hybrid architecture, so we primarily leverage the Cribl cloud. We also have some on-premises workers who we have connected to the cloud. It's a cloud-connected, yet independent leader and has worker nodes for processing edge data from offline edge nodes. So those systems are in secure VLANs and don't have outbound internet access. We're able to stand up an on-premises infrastructure that is still cloud-connected, that's part of our overall environment, and can capture that data and send it along to our system. So overall, we really did not have any challenges standing up the infrastructure. It's been very easy to stand up and maintain.

The return on investment for Cribl is that we've seen it really pay for itself. 

When we recently went through a SIM migration from Splunk to Microsoft Sentinel, we incorporated Cribl to help us reduce our ingest costs. What we've seen is really an overall reduction of just shy of 40% in our ingest into our SIM platform versus prior to having Cribl, and those ingest costs have basically canceled out the pricing of Cribl licensing for us based on the volume of data that we have.

I don't recall considering other similar solutions to Cribl. Cribl was the frontrunner on that one. We did a proof of concept early on and immediately saw how easy it was to work with the data and recognized the value it could bring, leading us to move forward with it.

I would advise other companies considering Cribl to just do it; it's worth it, as there's really little to no downside. It just makes your life easier. 

On a scale of one to ten, I would rate Cribl a nine, as it brings tremendous value. 

As a small security team, it really empowers us to get more useful data out of our sources, making our SOC and incident response teams more efficient and improving the overall security posture of our organization as we now have accurate, usable, easily analyzed data.

Cribl is primarily used to reduce data volume. When large datasets arrive, such as 1 TB of data, it can be reduced by 600 GB or 400 GB while maintaining the same information. Additionally, Cribl is used to send the same data to multiple destinations. The same data can be copied and sent to different products such as Splunk and Dynatrace.

For firewall logs, there are many default parsing templates and pipelines available. Firewall logs can be easily converted using parser functions. Default parsers are available for all log types, such as Palo Alto traffic, access logs, audit logs, and Linux logs. When a parser function is chosen for Palo Alto traffic, it automatically extracts all fields from the firewall logs.

A specific use case implemented involves firewall logs, which are substantial in size. Statistics are performed on the firewall logs and sent every five minutes. The logs are summarized by state count, and during that five-minute interval, the logs are aggregated and sent to other locations such as Dynatrace and Splunk. This significantly reduces data size and saves considerable space and licensing costs in Splunk.

Cribl provides substantial help with sending data to different destinations. With three products in use—Splunk, Dynatrace, and DataDog—Cribl sends dual feeds to multiple products. For instance, firewall logs are needed by both Splunk and DataDog. Additionally, some observability logs are directed to Dynatrace while remaining logs are sent to Splunk. Cribl effectively splits data across the various products in use.

Cribl is recommended for organizations with more than 1 TB or 2 TB of data ingestion. For smaller data volumes of less than 1 TB, Splunk licensing alone is sufficient, and parsing can be done at the Splunk level. With 14 TB of data ingestion per day, Cribl provides significant benefits.

Cribl's user interface is the most valuable feature. The UI is extremely user-friendly and allows visibility into what Cribl is processing and how much time it takes. Multiple routing capabilities enable data duplication to any location.

Cribl Edge provides an agent that is very simple to install on any server. Installation requires only a one-line script that can be copied and pasted, and the connection is established immediately. The configuration part is also very good.

User management in Cribl is excellent compared to other products. There is no need to access the back-end for any task, and dependence on the back-end is eliminated. Everything is available on the UI, making it very simple to use.

Cribl Cloud has no issues with handling large data ingestion volumes. Cribl Cloud can handle any volume of data efficiently. However, before purchasing Cribl Cloud, the read and write IOPS requirements need to be discussed and agreed upon with Cribl support. If data volume increases, these parameters can be adjusted accordingly. For on-premises deployments, the server is managed internally, and with recommended workers configured, there should be no issues.

For endpoint telemetry, the agent can be deployed everywhere using scripts based on Windows, Linux, and Kubernetes. Once the edge script is obtained, it can be deployed across all endpoints to gather data.

Currently, there are no significant enhancements needed as Cribl is a reliable product.

One improvement opportunity exists with Git integration. Git is attached to Cribl, and while users can push changes from Cribl to the Git repository, pulling changes from Git back into Cribl is not automated. When changes are made directly in the Git repository, they must be manually pulled into Cribl. For example, if a source is created in Cribl, it can be pushed to the Git repository, but modifications made directly in the Git repository must be manually pulled back into Cribl. Automating this pull functionality would be a valuable enhancement.

Cribl has been used for the last six or seven years.

No stability issues have been encountered. Occasionally, back-pressure issues occur, but these are not caused by Cribl. Sometimes the source experiences issues, or destinations such as Dynatrace do not accept the data due to API hit limits when sending data via HTTP. During these times, back-pressure occurs, and when back-pressure takes a long time, the parsing queue can become full.

For scalability, the leader is configured for high availability with a standby leader. Standby workers are also maintained. Currently, there are 16 workers in total with six additional workers kept as standby. If a worker fails, Cribl can be started on these standby workers to maintain operations.

Customer service is not required as the product is managed internally. Three or four people manage the product exclusively. Technical service support is not utilized because the team consists of certified Cribl engineers who have comprehensive knowledge of the product.

Initial setup is straightforward, particularly for those familiar with Splunk. The installation is similar to Splunk—unzip the leader package and install it. The worker installation follows the same process. Installation is very simple. For cloud deployments, there are no issues as URLs are provided.

A consultant from NetScaler, an authorized partner of Cribl, was brought in to guide the implementation. This person provided guidance, but the team completed the implementation internally. Assistance from Cribl is obtained whenever needed through this consultant.

Other alternatives exist, including Splunk, Enterprise Security (ES), and Itsee. Many other products are also available.

Cribl offers several advantages over alternative solutions. Managing the infrastructure, including workers and the leader, is very simple. Patching is also straightforward and requires only one click. The user interface is user-friendly.

Alternative products have many limitations that Cribl does not have. Other products may have issues with data acceptance and compatibility. Cribl accepts data over various ports, including TCP, HTTP, and UDP, as well as HEC tokens. Cribl also supports custom sources that can be added, a feature that is missing in other platforms.

Pricing is always discussed with high-level business teams, and involvement in pricing discussions is limited. However, Cribl is very inexpensive compared to Splunk licensing, which is a significant advantage for organizations purchasing Cribl.

Upgrading is a one-click activity. The version is selected, the leader is upgraded, and then the worker is deployed with a single click to upgrade the entire infrastructure. This capability has not been seen in any other product.

Data complexity is not a concern. Although there are many fields, each field has a question mark next to it that provides a description of what needs to be entered in the checkbox or dropdown below. The UI presents all information clearly. Without prior knowledge, anyone logging into the UI and navigating through sources, destinations, and other configurations can easily understand everything.

The overall review rating for this product is 9 out of 10.

Security data is my main use case for Cribl. I ingest data using Cribl Edge and then process the data using Cribl Stream to reduce the amount of volume of the data collected for use in other platforms.

The Cribl Edge features that are easier to use or to manage help me to reduce the amount of people I need to help manage the product.

As part of Stream, reducing the amount of volume provides a financial benefit to allow us to pay less for the other products that we are using the data in down the data path or stream.

The ease of management and configuration of Cribl Edge features is highly beneficial. I have many thousands of Cribl Edge nodes deployed, and it's very easy to make configuration changes across the board or update the agent. 

It can contain data cost and complexity. In terms of data complexity and cost, Cribl does a good job at providing solutions that will compress the data while retaining its usable form, or split the data in such that you can retain its original form and send a reduced form to your end destination. In terms of reducing the amount of logs with Cribl for firewall specifically, I am able to reduce the size and reformat the logs so that they are better able to be used downstream. 

Cribl has influenced the data processing workflow by allowing us to be platform-agnostic, and being able to separate the data into different destinations is quite easy.

The Cribl UI in general is very intuitive in how to manage log processing and configurations. Customer service and support deserves an 8.5 rating. They are really good at what they do, and you can tell that they are passionate about their product and helping customers have success.

Cribl could be improved by some UI tweaks and some usability tweaks, mostly centered around error troubleshooting for large volumes of Edge nodes. 

I have talked to the developers of the Cribl Edge software and they're very open and welcoming to the feedback and are looking to implement changes to help make the product better.

I have been using Cribl for a few months since July of 2025.

Cribl is overall a very reliable product and solution. The few times that I've had any reliability issues, they were quick to help me identify and proactive in helping me identify potential issues in the platform.

We have over 10,000 employees.

Cribl does a good job of handling large volumes of data very quickly. The Cribl Cloud that we have deployed allows for easy scaling to meet the needs of onboarding tens of thousands of Cribl Edge devices in a single day in some cases. Cribl makes scaling for Edge or Cribl Cloud data nodes very easy to add or replace Cribl worker nodes and allows you to, with one click, reconfigure Cribl Cloud workers to be able to ingest higher volumes of data.

Cribl technical support and customer service has been great so far. I really appreciate having a direct line to my Cribl SE or many different Cribl private resources via their Slack channel. 

It is a really easy way to quickly get an answer on something rather than having to put in a support ticket, however, support tickets are also fairly straightforward and easy to use.

Positive

I did not use other solutions before Cribl that do the same thing as Cribl does.

My experience for deploying Cribl was pretty easy. We have Cribl Cloud, and they make that a very simple solution to stand up. And for the on-prem resources that we have for Cribl workers, those were also easy to stand up and get connected to the cloud. So, overall, it's very easy to deploy the platform and to get it to configure.

The biggest return on investment is probably the log reduction capabilities while retaining the essential information from the logs. In some cases, greater than 80% reduction is achievable. Across thousands of endpoints, it really adds up quickly.

The pricing for Cribl was fairly straightforward. They have a universal license that allows us to consume the portions of Cribl that we want to use or flex into other portions of Cribl. We primarily use Cribl Edge and Cribl Stream at this point, but we could also use the same license for Cribl Lake or Cribl Search.

I did not consider other solutions in my company before choosing Cribl.

I've worked in information security for over ten years. 

With any SaaS solution, it's sometimes a difficult decision to decide to do on-premises versus a SaaS solution for on-cloud. I would recommend Cribl on Cloud for its ease of use and manageability. The managed updates are very nice and they have a proactive services team that helps monitor the infrastructure.

Overall, I would rate Cribl nine out of ten. While there are some shortcomings, the direct feedback loop they give to customers makes it a really good product overall.

As a Splunk administrator, I was using Splunk for everything from collecting logs to filtering them and viewing whatever I required, including searching queries. The Splunk license was costing me millions of dollars, so I wanted a tool where input data I did not require could be transformed to churn out meaningful data that I actually needed, with only that data being ingested into Splunk. Cribl played a very important role in this regard. It not only helped me with cost optimization but also transformed the data, and it was user-friendly. I used to have a specific regex query on my indexers, but those were removed once I introduced Cribl. In that way, I am using Cribl for cost optimization.

My sources and destinations are now being taken care of, whereas before, if I wanted to route my data to any specific destination, I had to configure it manually on the Splunk side. With Cribl, one source can have multiple destinations, and it is all UI friendly. This helps me considerably.

My core purpose in using Cribl is to get insight into login logs, including user login, log out, and all those sorts of logs. I use it for that purpose and have never come across anything such as a firewall.

When managing log processing tasks, my experience with Cribl's user interface is extremely smooth, quick, and very user-friendly. If I want to monitor my incoming data, I just have to go to that specific panel and click on monitoring. I can capture the live logs and make minute changes just to view how my output would look without needing to do anything on the back end. In that way, I would say it is very user-friendly, covering most of the available standard sources and destinations without needing additional plugins. If I want to source CrowdStrike or integrate it with Kafka, all that is available right on the UI.

From my perspective, I like Cribl Edge very much. Until now, I had to collect the data using a universal forwarder as an agent installed on the source side, but with Cribl Edge, you do not require any installation. You simply set up the source on the Cribl Edge side, and it starts collecting the data. Unlike traditional forwarders where you have to manually install the agent, Cribl Edge simplifies that process. Cribl Stream is also one of the best features. If I want to perform any transformation, I can create multiple routes and perform operations on the incoming data based on my output configuration. I can have my login routes into specific dashboards based on transformations. I am using both Stream and Edge.

Cribl Edge's centralized fleet management has saved a lot of my time and effort and has also helped with cost optimization. As a core Splunk administrator, I used to manually install the Splunk universal forwarder on my source site. Since using Cribl Edge, I just set up my source and do some networking tweaks to include it in my parameters, and then the agent starts collecting the required logs for me without the traditional installation process.

I think Cribl should enhance its visualization side, similar to Splunk or Grafana, where things can be visualized more accurately or presentably. Adding features for trending data lines and predictive analysis would be a beneficial addition.

I have been working with Cribl for probably more than a year, maybe around fifteen to sixteen months.

Regarding stability and scalability, I have not faced any crashes, downtimes, or performance issues. I would rate it ten out of ten as it has been smooth overall. However, in tools like Splunk, you often have a free limit, but in Cribl, you need a production license to process anything.

I am aware of Cribl's technical support. I can raise a case via email or use on-demand support. I am familiar with it but have not needed to reach out recently, though I am aware there is twenty-four seven support with a dedicated email ID.

I would rate the customer service or technical support team very high, around eight or nine. They are quick to respond, have a service-level agreement, and I have not encountered a time when it was breached. You can also provide your mobile number if something is urgent, and they will call you directly.

Positive

Before choosing Cribl, I did not really evaluate other options. We were predominantly relying on Splunk, and aside from it, we relied on primitive AWS agents. Choosing Cribl as an independent tool offered a major advantage since it is platform-independent and can integrate with any cloud environment.

My experience with the initial setup and deployment process was straightforward. Cribl provides training, including free certifications called Cribl University. Anyone without a background in data processing can go through those certifications to understand how to install and use Cribl for their cases. Since I come from a similar background, I faced no challenges.

Everything was done in-house. My leadership took care of procurement, and we managed the deployment, creating the topology and using it by ourselves.

The return on investment with Cribl is huge. My enterprise would have ended up paying a lot of money for similar types of work before Cribl was introduced, so the return is quite good.

Regarding Cribl's pricing aspect, I find it very nominal. It seems to be a startup, and from an engineering enterprise perspective, it is price-friendly and not competitive. The price-to-benefit ratio shows high benefits compared to a comparatively low price.

I am using the software version, not working with it on the AWS cloud.

I bought the Cribl product directly from Cribl. I reached out to my leadership, and they facilitated getting the Cribl license and everything directly from cribl.io.

Cribl handles high volumes of diverse data types, such as logs and metrics, very well. It is a stable platform; even with high input data ingestion, it does not slow down. My experience shows it is quite stable regardless of how large the amount of data being processed.

Cribl Search has helped me in a good way regarding long-term log retention and historical investigations. However, I have not explored that area much. My prime area was to reduce the costs associated with Splunk, which costs around seventy-five million dollars yearly due to many redundant logs. Cribl helped me filter those logs for cost optimization.

Unified management has absolutely helped me and saved me a lot of time. During situations concerning a major incident, I was able to get required results in less time, saving a lot of application downtime. Using Cribl on Kubernetes and Docker shows everything regarding the health of my underlying servers, making it easy to maintain. The core purpose I am using it for is cost optimization, and it has helped reduce incident time or downtime of my application, widely assisting me in areas where I needed it.

With Cribl Search's ability to search data in place, I can troubleshoot easily. I am using Cribl Stream with configured sources and destinations. If there is an error event, I can log in to the Cribl UI and type a query, such as the index name, to see all related events. It is helping me troubleshoot on the Cribl UI.

I do not think my wisdom or tech understanding is superior to offer advice. The tool itself is promising, but given the evolution of AI and similar technologies, it would be beneficial if Cribl could provide intelligent suggestions for configuration or search, similar to Visual Studio. I would rate this review an eight overall.

The use case is for data log optimization and log rerouting. Along with log optimization and log rerouting, we have been using Cribl for data lakes.

Overall, Cribl has improved my organization. The reduction in firewall logs has influenced my data processing workflow. When we talk about data optimization, these events ingested into Cribl are basically the raw info, raw logs. Enhancing those events to optimize, to add new fields or to remove the extra fields that are of no use helps us in log reduction by dumping the raw logs and only ingesting the interested fields, which helps us in 50 to 60% volume reduction.

We can change the log format in case any data feed is ingesting logs in some different format, so we can reformat the logs and send those logs into some JSON format or any other format that is more understandable to any normal person. 

Cribl has been able to manage and take care of a high volume or any outburst of logs. We are able to manage those by creating alerts whenever resource thresholds are being breached so we can scale up the workers.

The best feature in Cribl is the UI, which is user-friendly. Apart from being user-friendly, you can have integration with Git, GitHub, and other config version controlling tools that we need. You can integrate them as well. Currently, I'm using GitHub, so it's quite easy to integrate it with GitHub and use it. We have multiple source integrations available, with multiple destinations being supported by Cribl. I'm using a cloud version which is not hosted in Cribl; it's on our own cloud that we have hosted. It's a containerized version that we are using for Cribl. It's quite easy to patch the Cribl host as well.

Given the dynamic nature, we can create workers, worker nodes on the fly. We can increase or decrease the worker nodes as per our requirements. For knowledge objects, we can have the lookups added and we can do the filtering based on lookups. We can use the custom packs as well to enhance our logs. 

Log enhancement is another feature, and when I say log optimization, this has been one of the best features for Cribl where you can reduce the log size by filtering the selective logs, enhancing the log quality by filtering the requested fields within the logs and filtering out the unnecessary garbage value within our logs.

Another interesting feature is that you can have the logs rerouted to multiple destinations, whether it be S3 bucket or any SIEM solution, any data lake, or any third-party tool. 

Over the period, we have upgraded Cribl, and earlier it did not support multiple sources. Now with the upgrades, it has integrated with multiple new sources and different integration mechanisms such as Wiz, TCP, Syslog; all those functionalities have been excellent.

In terms of areas for improvement, I would say Cribl internal logging has been one of the bottlenecks; that should be enhanced. If we can have more internal logs and more debug logs to validate the error, that would be beneficial because instead of reaching out to Cribl support, we can troubleshoot and find the root cause ourselves.

Currently, Cribl only provides monitoring for the data that is being ingested. If Cribl could store metrics for the data that has been ingested in the past, that would be valuable because there have been certain scenarios where tenants mentioned they are not receiving the logs from the past. There's no way to go back and check whether Cribl received those logs or not. If there could be metrics that could help us provide how much data for a particular week we received, it would be very beneficial.

Another enhancement I would expect is if Cribl could have more dashboards for troubleshooting, which would be very beneficial. I would expect Cribl to provide those troubleshooting dashboards to troubleshoot and try the errors, as it becomes tough to understand where the root cause is when an issue occurs. If Cribl can have more alerts defined in itself, rather than relying on any SIEM solution to forward the logs and configure the alerts over there, having Cribl itself with alerting mail notifications or SNS would be very beneficial.

I have been using this solution for almost one and a half or two years.

I would rate the stability as ten out of ten. The platform has been stable unless there have been unforeseen circumstances such as an outburst of logs that the team has not been informed of. In such cases, I've seen some outages, but this is not caused by Cribl. This has been caused by the source team or the ops team.

Regarding scalability, the current Cribl certifications available on Cribl support are good. User, admin, and edge certifications are very good. I enrolled for one of the certifications that required instructor-led training, but I couldn't find the slots for that.

It's an enterprise version, and we have a good amount of users using this solution.

I would rate the technical support an eight out of ten. I've kept two points for improvisation in terms of internal logging. Given the scenario that whenever there is an issue, we may have to engage support, if they could enhance their internal logging, we won't require Cribl support to engage.

Positive

Deployment is somewhat easy, but I would appreciate it if Cribl can provide more documentation on Cribl deployments. They need to upscale their knowledge base. 

The time it takes to deploy depends on the environment; if the initial requirement is just to have a few workers and the leader spin up, it should not take much time. If the initial setup is huge, then it depends on how many sources need to be integrated and where we are hosting it. If it is Cribl Cloud, it would be easier, but if it's a hybrid one, some complexity depends on the sort of environment you have.

I have not conducted much analysis on the return on investment part, but in the POCs that I have done in different projects and in the current one, there has been almost 30% return over investment available. However, it varies from project to project and requirements as well. If there's a requirement only to do the filtering and enhance the log and optimize them, it has helped, but in those cases where log optimization is not required, only enhancement is required, it has somewhat varied. In the case of optimization, it has helped return on investment to somewhere close to 50%.

Regarding pricing, nothing comes free. Obviously, when we are using Cribl, it has a cost associated, but over time, the licensing cost has increased, given the scenario that Cribl is gaining popularity.

Given the scenario that it's a new tool in the market, it has been promising enough. With the features and functionalities that it offers, it's been very good.

I would recommend Cribl to other users, especially if someone is looking to optimize their logs and do volume reduction. But everything comes at a price. If you are not utilizing it to the max, you won't be able to get a good return on investment. Always ensure that whenever you have such things in place, you have the complete benefits of that particular functionality being used.

I would rate Cribl an eight out of ten.