Initially, it takes time to understand the pipelines and the functions, and sometimes troubleshooting certain requirements, checking multiple pipeline states, and more built-in examples for real-world use cases would help beginners learn how to work with Cribl. For a beginner, learning how it works and how to build the pipeline and the functions presents some challenges. I think data cost is acceptable, but the main concern is availability. Sometimes Cribl is down, so we may miss some logs, and that is an issue. Availability for Cribl is needed. We typically do not have issues with the logs, but sometimes Cribl is down, causing us to miss some of the logs, which creates a significant issue for Splunk. Customers have issues with logs when Cribl is down, leading to missed logs and triggering Splunk alerts repeatedly due to data loss, creating multiple incidents. We need availability for Cribl most of the time. If availability is acceptable, then we do not have any issues with Cribl. Sometimes we have downtime with Cribl, which is the only issue. Otherwise, we do not have any other issues. When there is downtime, we cannot get the logs into Splunk. Based on those logs, we get alerts that keep triggering repeatedly, creating multiple incidents and sending emails to our customers, which are very problematic during downtime. At this time, we are working in Cribl because we do not want to use the Edge Processor due to its complexity, requiring us to manually write all the functions and multiple lines of code for data reduction and dropping. Cribl has some built-in functions and a very good UI that helps significantly. It is better than the Edge Processor since we have to write the full pipeline from scratch in the Edge Processor, which can be difficult. We also cannot capture sample logs in the Edge Processor, but in Cribl, we can capture the logs.
