Cribl Reviews

As a Splunk administrator, I was using Splunk for everything from collecting logs to filtering them and viewing whatever I required, including searching queries. The Splunk license was costing me millions of dollars, so I wanted a tool where input data I did not require could be transformed to churn out meaningful data that I actually needed, with only that data being ingested into Splunk. Cribl played a very important role in this regard. It not only helped me with cost optimization but also transformed the data, and it was user-friendly. I used to have a specific regex query on my indexers, but those were removed once I introduced Cribl. In that way, I am using Cribl for cost optimization.

My sources and destinations are now being taken care of, whereas before, if I wanted to route my data to any specific destination, I had to configure it manually on the Splunk side. With Cribl, one source can have multiple destinations, and it is all UI friendly. This helps me considerably.

My core purpose in using Cribl is to get insight into login logs, including user login, log out, and all those sorts of logs. I use it for that purpose and have never come across anything such as a firewall.

When managing log processing tasks, my experience with Cribl's user interface is extremely smooth, quick, and very user-friendly. If I want to monitor my incoming data, I just have to go to that specific panel and click on monitoring. I can capture the live logs and make minute changes just to view how my output would look without needing to do anything on the back end. In that way, I would say it is very user-friendly, covering most of the available standard sources and destinations without needing additional plugins. If I want to source CrowdStrike or integrate it with Kafka, all that is available right on the UI.

From my perspective, I like Cribl Edge very much. Until now, I had to collect the data using a universal forwarder as an agent installed on the source side, but with Cribl Edge, you do not require any installation. You simply set up the source on the Cribl Edge side, and it starts collecting the data. Unlike traditional forwarders where you have to manually install the agent, Cribl Edge simplifies that process. Cribl Stream is also one of the best features. If I want to perform any transformation, I can create multiple routes and perform operations on the incoming data based on my output configuration. I can have my login routes into specific dashboards based on transformations. I am using both Stream and Edge.

Cribl Edge's centralized fleet management has saved a lot of my time and effort and has also helped with cost optimization. As a core Splunk administrator, I used to manually install the Splunk universal forwarder on my source site. Since using Cribl Edge, I just set up my source and do some networking tweaks to include it in my parameters, and then the agent starts collecting the required logs for me without the traditional installation process.

I think Cribl should enhance its visualization side, similar to Splunk or Grafana, where things can be visualized more accurately or presentably. Adding features for trending data lines and predictive analysis would be a beneficial addition.

I have been working with Cribl for probably more than a year, maybe around fifteen to sixteen months.

Regarding stability and scalability, I have not faced any crashes, downtimes, or performance issues. I would rate it ten out of ten as it has been smooth overall. However, in tools like Splunk, you often have a free limit, but in Cribl, you need a production license to process anything.

I am aware of Cribl's technical support. I can raise a case via email or use on-demand support. I am familiar with it but have not needed to reach out recently, though I am aware there is twenty-four seven support with a dedicated email ID.

I would rate the customer service or technical support team very high, around eight or nine. They are quick to respond, have a service-level agreement, and I have not encountered a time when it was breached. You can also provide your mobile number if something is urgent, and they will call you directly.

Before choosing Cribl, I did not really evaluate other options. We were predominantly relying on Splunk, and aside from it, we relied on primitive AWS agents. Choosing Cribl as an independent tool offered a major advantage since it is platform-independent and can integrate with any cloud environment.

My experience with the initial setup and deployment process was straightforward. Cribl provides training, including free certifications called Cribl University. Anyone without a background in data processing can go through those certifications to understand how to install and use Cribl for their cases. Since I come from a similar background, I faced no challenges.

Everything was done in-house. My leadership took care of procurement, and we managed the deployment, creating the topology and using it by ourselves.

The return on investment with Cribl is huge. My enterprise would have ended up paying a lot of money for similar types of work before Cribl was introduced, so the return is quite good.

Regarding Cribl's pricing aspect, I find it very nominal. It seems to be a startup, and from an engineering enterprise perspective, it is price-friendly and not competitive. The price-to-benefit ratio shows high benefits compared to a comparatively low price.

I am using the software version, not working with it on the AWS cloud.

I bought the Cribl product directly from Cribl. I reached out to my leadership, and they facilitated getting the Cribl license and everything directly from cribl.io.

Cribl handles high volumes of diverse data types, such as logs and metrics, very well. It is a stable platform; even with high input data ingestion, it does not slow down. My experience shows it is quite stable regardless of how large the amount of data being processed.

Cribl Search has helped me in a good way regarding long-term log retention and historical investigations. However, I have not explored that area much. My prime area was to reduce the costs associated with Splunk, which costs around seventy-five million dollars yearly due to many redundant logs. Cribl helped me filter those logs for cost optimization.

Unified management has absolutely helped me and saved me a lot of time. During situations concerning a major incident, I was able to get required results in less time, saving a lot of application downtime. Using Cribl on Kubernetes and Docker shows everything regarding the health of my underlying servers, making it easy to maintain. The core purpose I am using it for is cost optimization, and it has helped reduce incident time or downtime of my application, widely assisting me in areas where I needed it.

With Cribl Search's ability to search data in place, I can troubleshoot easily. I am using Cribl Stream with configured sources and destinations. If there is an error event, I can log in to the Cribl UI and type a query, such as the index name, to see all related events. It is helping me troubleshoot on the Cribl UI.

I do not think my wisdom or tech understanding is superior to offer advice. The tool itself is promising, but given the evolution of AI and similar technologies, it would be beneficial if Cribl could provide intelligent suggestions for configuration or search, similar to Visual Studio. I would rate this review an eight overall.

The use case is for data log optimization and log rerouting. Along with log optimization and log rerouting, we have been using Cribl for data lakes.

Overall, Cribl has improved my organization. The reduction in firewall logs has influenced my data processing workflow. When we talk about data optimization, these events ingested into Cribl are basically the raw info, raw logs. Enhancing those events to optimize, to add new fields or to remove the extra fields that are of no use helps us in log reduction by dumping the raw logs and only ingesting the interested fields, which helps us in 50 to 60% volume reduction.

We can change the log format in case any data feed is ingesting logs in some different format, so we can reformat the logs and send those logs into some JSON format or any other format that is more understandable to any normal person. 

Cribl has been able to manage and take care of a high volume or any outburst of logs. We are able to manage those by creating alerts whenever resource thresholds are being breached so we can scale up the workers.

The best feature in Cribl is the UI, which is user-friendly. Apart from being user-friendly, you can have integration with Git, GitHub, and other config version controlling tools that we need. You can integrate them as well. Currently, I'm using GitHub, so it's quite easy to integrate it with GitHub and use it. We have multiple source integrations available, with multiple destinations being supported by Cribl. I'm using a cloud version which is not hosted in Cribl; it's on our own cloud that we have hosted. It's a containerized version that we are using for Cribl. It's quite easy to patch the Cribl host as well.

Given the dynamic nature, we can create workers, worker nodes on the fly. We can increase or decrease the worker nodes as per our requirements. For knowledge objects, we can have the lookups added and we can do the filtering based on lookups. We can use the custom packs as well to enhance our logs. 

Log enhancement is another feature, and when I say log optimization, this has been one of the best features for Cribl where you can reduce the log size by filtering the selective logs, enhancing the log quality by filtering the requested fields within the logs and filtering out the unnecessary garbage value within our logs.

Another interesting feature is that you can have the logs rerouted to multiple destinations, whether it be S3 bucket or any SIEM solution, any data lake, or any third-party tool. 

Over the period, we have upgraded Cribl, and earlier it did not support multiple sources. Now with the upgrades, it has integrated with multiple new sources and different integration mechanisms such as Wiz, TCP, Syslog; all those functionalities have been excellent.

In terms of areas for improvement, I would say Cribl internal logging has been one of the bottlenecks; that should be enhanced. If we can have more internal logs and more debug logs to validate the error, that would be beneficial because instead of reaching out to Cribl support, we can troubleshoot and find the root cause ourselves.

Currently, Cribl only provides monitoring for the data that is being ingested. If Cribl could store metrics for the data that has been ingested in the past, that would be valuable because there have been certain scenarios where tenants mentioned they are not receiving the logs from the past. There's no way to go back and check whether Cribl received those logs or not. If there could be metrics that could help us provide how much data for a particular week we received, it would be very beneficial.

Another enhancement I would expect is if Cribl could have more dashboards for troubleshooting, which would be very beneficial. I would expect Cribl to provide those troubleshooting dashboards to troubleshoot and try the errors, as it becomes tough to understand where the root cause is when an issue occurs. If Cribl can have more alerts defined in itself, rather than relying on any SIEM solution to forward the logs and configure the alerts over there, having Cribl itself with alerting mail notifications or SNS would be very beneficial.

I have been using this solution for almost one and a half or two years.

I would rate the stability as ten out of ten. The platform has been stable unless there have been unforeseen circumstances such as an outburst of logs that the team has not been informed of. In such cases, I've seen some outages, but this is not caused by Cribl. This has been caused by the source team or the ops team.

Regarding scalability, the current Cribl certifications available on Cribl support are good. User, admin, and edge certifications are very good. I enrolled for one of the certifications that required instructor-led training, but I couldn't find the slots for that.

It's an enterprise version, and we have a good amount of users using this solution.

I would rate the technical support an eight out of ten. I've kept two points for improvisation in terms of internal logging. Given the scenario that whenever there is an issue, we may have to engage support, if they could enhance their internal logging, we won't require Cribl support to engage.

Positive

Deployment is somewhat easy, but I would appreciate it if Cribl can provide more documentation on Cribl deployments. They need to upscale their knowledge base. 

The time it takes to deploy depends on the environment; if the initial requirement is just to have a few workers and the leader spin up, it should not take much time. If the initial setup is huge, then it depends on how many sources need to be integrated and where we are hosting it. If it is Cribl Cloud, it would be easier, but if it's a hybrid one, some complexity depends on the sort of environment you have.

I have not conducted much analysis on the return on investment part, but in the POCs that I have done in different projects and in the current one, there has been almost 30% return over investment available. However, it varies from project to project and requirements as well. If there's a requirement only to do the filtering and enhance the log and optimize them, it has helped, but in those cases where log optimization is not required, only enhancement is required, it has somewhat varied. In the case of optimization, it has helped return on investment to somewhere close to 50%.

Regarding pricing, nothing comes free. Obviously, when we are using Cribl, it has a cost associated, but over time, the licensing cost has increased, given the scenario that Cribl is gaining popularity.

Given the scenario that it's a new tool in the market, it has been promising enough. With the features and functionalities that it offers, it's been very good.

I would recommend Cribl to other users, especially if someone is looking to optimize their logs and do volume reduction. But everything comes at a price. If you are not utilizing it to the max, you won't be able to get a good return on investment. Always ensure that whenever you have such things in place, you have the complete benefits of that particular functionality being used.

I would rate Cribl an eight out of ten.

I have Splunk with approximately 10 TB daily ingestion, so I route that data to Cribl. I optimize the data and then index it into Splunk, reducing storage by about 30 to 40 percent. For example, 10 TB daily ingestion becomes 5 TB ingestion after optimization.

In another scenario, I have approximately 10 TB daily ingestion in Splunk, route the data into Cribl, optimize the data, and it becomes 6 TB or 6.5 TB daily ingestion.

I route firewall logs, event logs such as Windows logs, metrics logs, and EDR logs.

The feature I appreciate the most is the connection between Splunk and Cribl, which is very useful for routing data. The pipeline and filtering logs are very helpful.

Cribl has a central management system that controls all data pipelines and configuration. Cribl works centrally by using the main Cribl instance, managing the configuration, pipelines, and routing rules for all worker nodes. The leader node acts as a central node, managing the pipelines, route packs, and configuration, distributing them to the worker nodes. The worker nodes process actual logs and send the processed logs to the destination, such as Splunk, S3, or other SIM tools.

Cribl Edge processes the data at the edge before sending it to a central system, reducing unnecessary data volume so we can drop some data, improve performance, and reduce network usage at the edge. It helps with security and observability.

Cribl Edge is a very lightweight agent for data collection and processing. It runs on the endpoints or the server and helps collect logs and metrics directly from the source and process them before sending them to a platform such as Cribl Stream, Splunk, or any other destination.

Cribl Edge has made it easier and faster to maintain endpoint telemetry collection.

Initially, it takes time to understand the pipelines and the functions, and sometimes troubleshooting certain requirements, checking multiple pipeline states, and more built-in examples for real-world use cases would help beginners learn how to work with Cribl. For a beginner, learning how it works and how to build the pipeline and the functions presents some challenges.

I think data cost is acceptable, but the main concern is availability. Sometimes Cribl is down, so we may miss some logs, and that is an issue. Availability for Cribl is needed.

We typically do not have issues with the logs, but sometimes Cribl is down, causing us to miss some of the logs, which creates a significant issue for Splunk. Customers have issues with logs when Cribl is down, leading to missed logs and triggering Splunk alerts repeatedly due to data loss, creating multiple incidents. We need availability for Cribl most of the time. If availability is acceptable, then we do not have any issues with Cribl.

Sometimes we have downtime with Cribl, which is the only issue. Otherwise, we do not have any other issues. When there is downtime, we cannot get the logs into Splunk. Based on those logs, we get alerts that keep triggering repeatedly, creating multiple incidents and sending emails to our customers, which are very problematic during downtime.

At this time, we are working in Cribl because we do not want to use the Edge Processor due to its complexity, requiring us to manually write all the functions and multiple lines of code for data reduction and dropping. Cribl has some built-in functions and a very good UI that helps significantly. It is better than the Edge Processor since we have to write the full pipeline from scratch in the Edge Processor, which can be difficult. We also cannot capture sample logs in the Edge Processor, but in Cribl, we can capture the logs.

I have been working with Cribl for approximately one and a half years.

Sometimes Cribl is down, so we may miss some logs, and that is an issue.

Sometimes we have downtime with Cribl, which is the only issue. Otherwise, we do not have any other issues. When there is downtime, we cannot get the logs into Splunk. Based on those logs, we get alerts that keep triggering repeatedly, creating multiple incidents and sending emails to our customers, which is very problematic during downtime.

We can easily scale up and manage multiple nodes, which is not a significant task and is quite easy. Scaling the Splunk agent is difficult compared to Cribl, and in the Edge Processor, managing multiple nodes is very challenging. Cribl is a better solution for scalability.

I did not contact technical support because we have senior staff in the company who help us understand how it works and everything else. They have significant experience with Cribl, so we can learn from them and apply the changes to the pipelines.

In the initial setup, for beginners, I would say it is moderate, not too easy and not too hard. For experienced people, it is very easy.

One person is enough to deploy Cribl if you do not have a very large environment. Otherwise, we need different types of people for a very large-scale environment.

I have approximately four to five years of experience in Splunk, and currently, I have approximately one and a half years with Cribl. I am using Cribl.

Cribl Edge is a very lightweight agent for data collection and processing. It runs on the endpoints or the server and helps collect logs and metrics directly from the source and process them before sending them to a platform such as Cribl Stream, Splunk, or any other destination.

I am not aware of the Search-in-Place feature, and I have to test that feature before I can provide feedback on it. At this time, I do not have any information about that feature. I can investigate it.

There are no requirements for maintenance.

Your pricing is lower than the Edge Processor or the Ingest Processor. We mostly need availability for Cribl at all times. If our customers get availability, then we do not have any issues with the cost. However, if we do not get availability, that is when we have an issue with Cribl.

I rate this review a nine out of ten.

My main use cases for Cribl include data reduction, sampling, aggregation, and advanced routing of data to get them to the right place with speed.

It benefits our company by not having to guess at what the data's going to look like after we've made complex manipulations to the data. We can see the data in real-time and understand what the input's going to look like and also what the output's going to look.

The feature I appreciate most about Cribl is the interface and how you're able to interact with the data, see the data both live on the ingest side as well as on the side where it goes out to the destination, which is a feature that was lacking in the previous solution I was using.

Cribl does a really great job of making sure that no matter how crazy the data set is, we're able to see that data and understand it, and then perform advanced functions against the data to make sure that it is in the ready state for whatever the end place is in which we wish to send it. It really helps us because we have thousands of different types of data which we have to run through Cribl and make sure that they get to the right place in the right amount of time.

Cribl is world-class at handling large volumes and types of of data, including metrics. Currently, for my organization, we push multiple terabytes worth of data through the solution every day. And we've been able to find out that it's easily scalable, and I feel that in the future, it's able to grow as our needs for data grow. We have been able to see reductions in firewall logs. For many organizations, firewall logs are one of the largest log sources, modernization included. And so with Cribl, we can use the aggregation functions to make sure that we're pulling out key information from those logs and sending those over to our SIEM solution.

In terms of the user interface of Cribl for managing log manipulation tasks, it is a world-class solution. It's one of the main reasons which drove us to contracting and purchasing Cribl. We were tired of using plain text files to manipulate data, especially at our large volume. It really helps us be able to see and click and have an easier interface, so administrators are able to do the same things that previously engineers weren't able to do, working with flat files.

One interesting use case I was thinking about in terms of an improvement for Cribl would be if Cribl were able to do some of the search work that we do currently inside of our SIEM solution in Cribl itself. For example, examining the data as it comes across the wire, making some of those decisions for further functions that have to happen with that data so that we don't have to have that additional workload on the search side that has some delay, albeit very small. 

It would be really nice to be able to see Cribl gain insights from the data as the data is in stream, in flight, on the way to wherever its final storage destination is.

I have been using Cribl for four years.

From my perspective of the stability and reliability of the solution, there have been times where certain releases have bugs inside of them that we have to work around in order to make the solution work as intended. 

The support team has been very responsive when we find those issues that may occur, and oftentimes there's a patch that's released in the coming weeks for that, and there's a way for a workaround where it does not impact what we need to do.

We have 45,000 employees at our company.

In terms of the ability for Cribl to scale to meet our business needs, it has been doing very well. There is an existing architecture and a model for growth, and we've been able to use that model to grow as our needs have grown over the time that we've used the application.

I would say that in terms of customer service and technical support, Cribl is top class. No matter what time, day or night, my salesperson is available for me and my support team to answer questions, or they answer emails, no matter what time it is that we have an issue. They have been very supportive in making sure that our solution can be working as best as it can.

Positive

Prior to using Cribl, I was using another solution to address the problem of data manipulation, routing, and other functions. That solution was Splunk Enterprise props and transforms. 

It can be quite painful when you have thousands upon thousands of lines of code that are required to be maintained to manipulate the data and no real way to visualize what those manipulations are doing. That was one of the main driving points that led us to searching for a solution that we needed.

In terms of my experience with deploying Cribl, I myself was not directly involved with the initial deployment of the solution.

However, I can say that in terms of the management and the upgrades and the maintenance of it, my engineers give good feedback regarding how easy it is to maintain, upgrade, and make code deployments, changes, and commits. It is working out for my needs.

From my point of view, there are two main things when it comes to the return on investment of using Cribl that I've found to be the most compelling business use cases. First of all, we're able to take the data and get the data off to multiple destinations on the fly, basically as we need to. The second thing is that data aggregation, sampling, and reduction that we're able to do of the data, lowering our overall data volume, both traversing the network as well as what's being stored inside of our final solutions.

My experience with pricing, setup cost, and licensing has been good with Cribl. The price compared to the value of the product has been found to be worthwhile and we've been able to create a business case year in and year out in terms of why we need to continue our investment in the solution.

We considered some other solutions prior to going to Cribl, such as syslog-ng. However, being that I currently work for a large enterprise, Cribl was very attractive. Cribl comes with enterprise support. That's one thing you need to be cautious of in terms of picking a solution is that if you have to go with, for example, an open-source one, and there's a critical outage, you might not have the support you need and expertise on staff to get the solution back up and running. That was a strong selling point for Cribl.

In terms of advice that I'd give to other companies considering Cribl, I'd say take a look at the business use case and at the data which you have that's flowing through it, and make sure you think about how to get the most on the other side of wherever that data is traveling to, specifically from using the Stream product. 

Make sure that you have a targeted goal in terms of data reduction, then work with your support team to make sure that you have the necessary transformations of the data in place so that you can meet those goals. That way, if you do, you can more easily justify the cost and the budget that's required in order to stand up a solution such as Cribl.

On a scale of one to ten, I rate Cribl a ten due to its reliability, scalability, and comprehensive feature set that meets all our needs.

My primary role involves transforming customer's DDI environments to newer environments, migrating things from legacy platforms to newer platforms. A couple of my clients had the challenge of log analysis. DDI or DNS DHCP and IPAM environment logs are quite large. When the logs need to be sent to SIEM, Splunk, or any other log analysis environment, the licensing cost is substantial. They were looking for options to leverage this and reduce log size while maintaining visibility. I came across Cribl, a beautiful product that fascinated me. I was also evaluating a couple of other products including DataDog, but Cribl fascinated me because you can customize your requirements. Based on your requirement, you can channelize the logs, make the logs available as needed, and deduplicate things. Many things can be done in Cribl environment. I worked along with the LogStream team with the clients and we set up Cribl environment to pass logs from the DDI environment to Splunk.

In my current field of DDI transformation as an enterprise architect, I have close to 22 years of IT experience working as an enterprise DDI architect.

Cribl handles high volumes of diverse data types such as logs and metrics very efficiently because the data volume is managed very efficiently. Cribl is primarily for reducing the data volume and log volume. Analytics is the area where they need to improve. When passing query logs or DNS logs, if certain malicious query patterns need to be identified or if fast-flux attacks are happening, Cribl can report that and those would be definitely a plus for them. Even if those features are there, or may not be there, I couldn't find those options in Cribl. That's one area where they need improvement. Out of the box integrations with different DDI platforms would be definitely a plus. I couldn't explore much into those areas.

What I like most about Cribl is basically two things. One is the data reduction. When passing syslogs, syslogs are huge, ranging from gigabytes to terabytes in size. When the syslogs need to go to the security operations team or security team for log analysis and event monitoring, it's a nightmare for them to analyze all the syslogs. Cribl intelligently formats them. It intelligently extracts the data from the syslogs and then reduces the size of the syslogs by almost 30 to 40 percent, which I have seen practically. It removes any null values that are not required. It strips down whatever is required and just discards whatever is not required.

Secondly, sometimes in the logs, you find some unnecessary information, such as just an IP, some site ID, or what we call the circuit ID. Cribl fetches GeoIP information or checks for the reputation of domains if DNS queries are going to certain domains. Based on RPG response policy zone files, it adds those additional fields to the log so that the logs can be enriched. When the traditional logs don't show the accurate values, this makes them more user-friendly and more user-readable format. Those are basically the two things that I appreciate about Cribl. It basically presents what is required out of a syslog output.

I have been using Cribl for somewhere around two to three years.

What I dislike about Cribl is that it represents my direct pain point. I basically do DDI migration, which is transforming a legacy architecture to a newer platform. My expertise is in Infoblox DDI. If a customer environment is running with Microsoft or some old bind Linux based DNS DHCP solution, I consult them and if they are willing to move to Infoblox DDI, I help them migrate. The only thing is when we are doing the integration of Cribl, Cribl doesn't have any out-of-box customization packs for Infoblox. Whatever is available is only in the community. I need to go through the community page, download each customization pack or many filters and check whether that filter applies or not. Nothing is out of the box from Cribl. I have sent a couple of requests to Cribl earlier. If these could be available, because Infoblox is a market leader in the DDI segment and if Cribl has a native integration with them, then putting out-of-the-box integration with Infoblox with some filter packs and customization packs would be great for Cribl LogStream.

Analytics is the area where they need to improve. When passing query logs or DNS logs, if certain malicious query patterns need to be identified or if fast-flux attacks are happening, Cribl can report that and those would definitely be a plus for them. Even if those features are there, or may not be there, I couldn't find those options in Cribl. That's one area where they need improvement. Out of the box integrations with different DDI platforms would definitely be a plus. I couldn't explore much into those areas.

I haven't used the new Search in Place technology feature of Cribl Search as of now because my recent engagement with a client where I deployed Cribl and the Cribl log analysis log channel was not there. If I get any chance to deploy for any other client, I will get through that feature.

Regarding Cribl's user interface when managing log processing tasks, the newer interface looks cool compared to the initially clumsy interface. However, those aspects can be improved. I have seen that when switching between dark theme and white theme, some text is not visible clearly in the dark theme and the graphs are very hard to read. If they could improve that, it would be great.

The initial deployment of Cribl is one area where it needs to be improved because the initial deployment takes some time. Specifically, for complex platforms such as an Infoblox DDI platform where there are no out-of-box customization packs available, you need to go through community portals and Cribl community blogs to find scripts and customization packages. It takes some time, but once that is set, it becomes easy. It's quite easy after that.

I have been using the solution for two to three years.

I haven't contacted technical support because we couldn't have gotten any outage or situations where it was not working. I just worked for in small stints for different clients, so that's why I didn't contact technical support on those things. The self-help things and documentation are really good. Cribl has certain videos available where you can go through them and get knowledge.

Cribl doesn't require any maintenance on my end because on the DDI side, no maintenance is required. When sending the log to Cribl, Cribl is passing the logs but storing them. Maintenance will be only required if it's hosted on a VM and the disk space becomes less, then you need to increase the disk space. Basically that is taken care of by the VM team. Ideally in every enterprise, the virtualization team or data center team is different. For the storage issues, they can take care of that. Cribl is just passing and storing the logs. If Cribl is passing on device, then they need bigger storage, and if the storage is becoming less, then they need to increase the storage. That is the kind of maintenance I see, not from the source side.

Cribl is definitely scalable because you get a platform which is kind of vendor-agnostic. Today, you have one platform, maybe a client is using Infoblox DDI, so they are sending the logs to Cribl. Tomorrow, if some other platform they are using for DDI, the log analysis channel or the log plane doesn't get affected with that. If tomorrow you need a little more processing or analysis, you add more instances of Cribl and that becomes scalable. You can scale it horizontally. Vertically also, you can add storage. Both ways it is scalable, horizontally and vertically.

I haven't contacted technical support because we couldn't have gotten any outage or situations where it was not working. I just worked for in small stints for different clients, so that's why I didn't contact technical support on those things. The self-help things and documentation are really good for them. Cribl has certain videos available where you can go through them and get knowledge on that.

Negative

The initial deployment of Cribl is one area where it needs to be improved because the initial deployment takes some time. Specifically, for when you have a complex platform such as an Infoblox DDI platform where there is no out-of-box customization packs available and you need to go through community portals, Cribl community blogs and find the scripts and customization packages, it takes some time. Once that is set, it becomes easy. It's quite easy after that.

One or two people can deploy Cribl. That's not a big deal. You don't need a big team to deploy it. At most I can tell two people, that's all.

I still have no idea about pricing because pricing and price point is basically determined by the customer with whom I work. It's taken by a very separate team, the finance team, and they decide on what price it should be. What I have seen in my implementation career with Cribl is that the licensing cost of Splunk is significant because Splunk is volume-based licensing. The more volume of data you are sending, the price also increases. Whatever they save from the Splunk side is ideally adjusted in Cribl pricing. It's a win-win situation from both ends. You save price from Splunk and you use Cribl and eventually you have a lower TCO, lower total cost of ownership at the end.

When I was looking for these kinds of solutions, I had come across DataDog and Kafka. Those are not easily available and cross-platform as Cribl. I couldn't explore more into those other alternatives. I got a good product and I stick with that. I didn't check for others.

Regarding firewall logs, I can't directly tell you the exact information because my firewall is not my area of expertise. I have definitely seen logs decrease in the Splunk logs for a DDI platform with Cribl. If Cribl forwards the logs of firewall to Splunk, then definitely there will be a decrease in the firewall log, but I can't tell exactly how that would be. I have given this product a rating of 9 out of 10.

Our main use cases for Cribl are Cribl Search, which allows us to search for logs and metrics for our cloud engineering data.

The features of Cribl that I appreciate the most are the ability for in-place searching for our logs, so we don't have to move our logs outside of our cloud, which gives us privacy and compliance requirements.

Other features that we appreciate are dashboarding, alerting, and the ability to save searches so we can rerun them again on a scheduled basis. These features benefit our company in a variety of ways; mostly, our operations team can rerun their searches on a daily basis without having to rewrite the queries, and the ability to keep the data privately in our buckets is a huge requirement for us.

Cribl's ability to contain data cost and complexity is good. The complexity is very minimal. The reason for that is that the data does not move from where it lives. So there is no cost and there is no complexity in terms of moving the data and processing the data out of where it lives currently. Everything is in place, which is huge, and it makes everything so simple.

Cribl is great at handling a variety of volume logs as it is scalable and it uses scalable infrastructure behind the scenes, which allows us to constantly add more logs and it is able to handle it nicely.

Cribl search affected our data exploration practices overall. Cribl search has affected us greatly, and it has optimized our operations teams' time and efficiency. They're able to troubleshoot and find issues for our customers in a minimal amount of time. It also allows us to go back and look, for example, three months back for specific issues. With other tools, it was taking us a lot longer.

The UI is very intuitive in the sense that it gives you the chance to write your own query and customize it. And then once you figure that out, you're able to save it and rerun it on a scheduled basis so you don't have to reconfigure the query every single time.

Cribl can be improved in some ways; one of which is the ability to search multiple regions. Currently, Cribl Search is dedicated to one bucket at a time in the case of S3 buckets. The ability to search for multiple buckets would be awesome.

We have been using Cribl for a little over a year now, and we use specifically Cribl Search.

We have not experienced any downtime or crashes with Cribl; however, we have experienced some delays with some of the Cribl Search queries when the volume of data is humongous. In some parts, due to how the data is partitioned in our cloud, we were aware of those situations. Even though we did experience them, we anticipated those delays, so that was expected.

The process of expanding usage is very smooth, and Cribl Search is very scalable since it does the searches in place where the data grows, and the infrastructure behind Cribl Search is also scalable as it uses a CPU and it just spawns horizontally more instances as it demands and requires.

I would evaluate the customer service and technical support of Cribl as superb; honestly. Every time we had an issue, we created and opened a new ticket for Cribl support, and they were very responsive. Usually, within an hour, we get a response, and we are able to work with them back and forth until we resolve the issues.

Positive

Prior to Cribl, we were able to use cloud-native specific solutions which were costly and time-consuming to pinpoint and figure out problems that can happen within a time window. It was not an easy user interface, and operations complained. Because of that, we started looking into other solutions, and that's how we stumbled upon Cribl.

The biggest return on investment when using Cribl is our time minimization for our operations team. They're able to look for customer issues real quickly, as opposed to the previous tools that we had, which were more time-consuming and also more costly. The time saved using Cribl is hours per engineer - about three hours' worth.

I did not deal with pricing directly. We had a team that dealt with Cribl.

We have looked into other solutions without naming names, and we considered major tools that are in the industry that are cloud-specific, cloud-native. What stood out was that Cribl is more cost-effective, and also, the main issue for us was we wanted to keep the data in our cloud. 

We don't want to migrate it due to privacy concerns and compliance requirements. Cribl was about the only tool that actually was able to satisfy our requirements, which is mostly the reason why we chose Cribl.

I would advise someone considering Cribl to really look into Cribl products, such as we did for Cribl Search, and really examine the challenges of huge volumes of logs, as Cribl has a really nice suite of products that would satisfy these requirements. Additionally, consider the requirements of data privacy, as the data does not get moved out of your cloud. 

On a scale of one to ten, I rate this solution a nine.

My usual use cases for Cribl involve collecting logs from many endpoints, including user activities. We collect logs into either Log Analytical Workspace or Event Hub and redirect to Cribl so that Cribl filters the required logs and redirects them to the SIEM tool.

We do not get a chance to use the user interface of Cribl because our client has access to that; we only implement and do that. They will check whether it is there, but based on my experience, it will be pretty easy to see what is in the user interface, and it will be easy to manage as well.

We have not used Cribl Search to a large extent because the client requirement was to only implement Cribl and integrate it with the SIEM. We have not used Cribl Search extensively, and I do not have any information about it.

The features of Cribl that I prefer most include the way it can easily be interfaced to SIEM and Event Hubs in Log Analytical Workspace. From Sentinel and from any other tool, it can easily be interfaced and it can send data to SIEM; those features I prefer to use most.

In assessing Cribl's ability to handle high volumes of diverse data types such as logs and metrics, as of now we have not faced any problems in collecting a large number of logs. Cribl is pretty efficient in collecting logs even when there are too many logs flowing at a time. We can collect not only server logs but also OS logs and even audit logs without any difficulty, and there has been no blockage in the system. There are no complaints, but it has been a very good experience using Cribl. Since this is a software as a service, if any problem exists, we just raise a ticket to Cribl team, and they will immediately jump into that and resolve all the questions or queries we raise.

Regarding Cribl's scalability, we did not have any problems with any cloud compatibility. The client requirement was to use Cribl, and we were checking whether it is compatible with Azure. Within a single day, we got a solution that it is easily compatible. We just needed some prerequisites, such as opening a few ports, and we wanted to ensure that everything was working regarding the reachability of the client to the agents. Once this was done, we did not have any issues.

I am not in a position to comment on how Cribl could be improved or enhanced because it is a good tool, and I have only used a small part of the entire Cribl product. As of now I am pretty happy with the entire Cribl component, but there are still a lot of things to learn.

I have been working with Cribl for the last six months.

In assessing the stability and reliability of Cribl, as of now we do not have any problems with stability. Even though we had two worker nodes in one region and a load balancer, we did not face any system issues. In case of vulnerability where we wanted to patch any one worker node, we easily did that and switched it on. We never faced a problem where some software was not there and therefore not working. Reliability-wise, Cribl is working perfectly fine.

Regarding scalability, we started with zero servers and have around 285 servers now. We did not experience any problems or slowdowns due to a lot of load. Cribl neatly managed everything.

I can rate Cribl's scalability around 9; I would say 9.5.

I have addressed the technical support team of Cribl. Every now and then, if there are servers having legacy operating systems, the latest versions of Cribl will not be supported. We have to contact them and ask which version will be supported because they have prerequisites. Based on the prerequisite, we have to downgrade to an older version of Cribl rather than use the newer version because it expects some advanced Java version. However, due to legacy systems, we do not get all those things. We manage this because those are all crown jewels of the client, and we do not want to change anything there, so we downgrade Cribl version and install it. We did not find any blockers because of this downgrading.

The skills and professionalism of the technical support team from Cribl are very good in terms of timing and skills. They understand the problem clearly, and once they understand it, they will resolve it within a day. Sometimes they resolve it within hours. Sometimes by hearing the problem itself, they will know what the solution is, and they will let us know how to resolve it, and we do it immediately.

I left the organization and I am no longer in the same organization, so I do not get a chance to work with these products (Darktrace, Microsoft Defender, and Perception Point Advanced Email Security) anymore.

For deploying or setting up Cribl, the requirements were given by the client, and we had to abide by that. Cribl was the only tool we had to use according to our requirement. We started with the deployment where they had given the requirements, and then we started with that and performed it successfully, starting with installing agents in all other servers.

The deployment and setup process of Cribl was straightforward because there are two ways to deploy. We can get an EXE, click and enter the details, or there is an automated script where we can run it and it will do it automatically. In the case of Linux, it will update and install the latest package, which is also quite easy. It is not a very tough thing to install any agent inside the system. It is pretty easy.

For support, we always raise a ticket to Cribl. We do not get the entire thing, but support activity is what we get. I have just implemented and I have just redirected the logs into Cribl for collecting all the security loggings.

I am an end user of Cribl. We manage Cribl for only implementation. As we have just implemented it, I am using it in our organization.

In sharing my thoughts on Cribl's ability to contain data cost and complexity, nowadays because of events per second, the way of SIEM billability is based on events per second. If you inject logs into Cribl, we can save a lot of data. Many logs are repeated logs. We can easily avoid repeated logging into the SIEM, which will also reduce the fatigue for the SOC engineers. This is one positive aspect of using Cribl, as we can reduce the number of events and increase flexibility and efficiency in the environment.

I'm not sure of Cribl pricing because it has been procured as a package by our client, and we are not exposed to or do not have an idea of how much they have spent to get a license from Cribl. But I understand that it is a little bit on the higher side. However, for what we have paid, the quality of service which they have provided makes us happy with that.

I do not think that if the pricing is on the higher side, it could be suitable for all types of users, such as small or medium ones. Each security component is important these days, and I feel Cribl usage always helps the product. However, it also depends on the budget they have. If they are able to use Cribl as a log monitoring tool for the SIEM according to their budget, it would be good. Again, there are pros and cons which we have to consider about their budget. If it is a very small organization, Log Analytical Workspace would be enough to collect all the logs. But if it is a big organization and budget is not a concern, I think they can go for log monitoring.

I have not seen a decrease in firewall logs with Cribl so far. What we do is use Event Hub. We actually redirect the entire thing to SIEM, so it will not come via Cribl. It will come via Cribl, but it will filter the required things based on our use case. We do not write all the packets because most of the packets would have been filtered in the firewall itself. Whatever packets are coming towards the firewall, if we want to collect the logs, we are directly interfacing with SIEM and we will collect it from there so that we do not want to lose what is the external activity on the internet towards our environment.

Based on everything I just described, I would rate Cribl overall as 10 out of 10. I have not used other parts of the feature; for whatever log monitoring I have used for Cribl, I always try to rate the maximum. However, I have not used Cribl Lake, Cribl Search, and other things they offer, so I cannot comment on those.

My use case is log management. The problem was in Sentinel where Syslogs park in a separate table and CEF logs park in a separate table. We were planning to convert the Syslogs to CEF format, which was not easy in Sentinel. Cribl helped us accomplish that.

There were many applications working in the client environment with ingested logs that had different column names. We normalized those using Cribl.

I appreciate Cribl's overall flexibility. If I can use regex, I can write KQL things in the pipeline. The built-in functions, which are really good, are very helpful.

I value that Cribl shows the payload before conversion, after conversion, and what has been transferred to the destination. This transparency is really great.

Cribl is intuitive. A user can easily see how the payload or log looks before conversion and how it looks after conversion, and what has been transferred to the destination. This makes it very interesting and intuitive for the user.

I don't think there is much complexity because the documentation is good and Cribl University helps a lot to understand the product. Cost is sometimes a problem with customers if they don't have budgets. Otherwise, it is not that much. The value addition that Cribl provides compared to the cost is significant.

Cribl is easier to use. The only area that Cribl should focus on is cost-effectiveness. I have deployed Cribl at four clients, and the major challenge in convincing them was the cost.

I have been a user of Cribl for the last three years.

I don't think any of my customers have required maintenance or generated a ticket complaining about any problems in Cribl. It's working fine.

It is manageable. It depends on how you manage it. If you manage smartly, then there is no problem. Otherwise, sometimes one or two logs can create a problem.

I encountered technical support three times and I must rate it as eight out of ten. It was really awesome and very supportive.

I would rate it as nine out of ten. During deployment of four customers, I had to contact the support team only three times, and that was also my fault. There was not a problem in the product. Cribl is very stable and a mature product.

Positive

I have worked on Virtual Metrics, which is a Dutch solution, and Ninja, which is something else, but they also provide similar services. However, Cribl is a very mature product.

I have seen a few more tools like Virtual Metrics and others, but Cribl is on top.

If you have gone through the documentation properly and completed Cribl University's courses, then it is easy to deploy and implement. It is not a difficult thing.

Currently, I am not pursuing a partnership. Earlier, we discussed with Cribl, but then we decided to go for three to four years without any partnership, and later on, we will look into it. Maybe in 2027, we will discuss with Cribl to develop a partnership, like becoming a reseller.

If I count the total of four customers, it is almost 23 users.

I have not used it until now, but I am working on Cribl AIDI, the AI feature which has been recently given in Cribl. I am learning in that area.

I think it will reduce my workload a lot. It will manage many things on my behalf if I successfully use it in a smart way.

I have seen two other solutions which claim to be competitors to Cribl. If I compare with them, I will give ten out of ten to Cribl. It is a very detailed and very mature product.

It depends on whether your use case is strong enough and you think that Cribl is the only solution which can solve your problem. If so, then cost is nothing. Otherwise, it is a little expensive.

First, when I feel that any of my customers should deploy Cribl for their use case, I discuss it with them. If they don't have budget or any constraints, then we look around. Otherwise, my first priority is always Cribl. Going with my first customer, I was a little hesitant to deploy Cribl. However, once I deployed it at my first customer and seen the results, I had evidence. Then my first priority became recommending Cribl.

Basically, it is not my area, but if you convince the customer and the end user upon the value addition that Cribl will provide them, then cost is a secondary thing.

I give this review an overall rating of nine out of ten.