Cribl Reviews

My use cases for Cribl include ETL: Extract, Transform, Load.

One thing that I like the most about Cribl is parsing data and parsing data sets for security. I would say automation use cases and detections are also great aspects.

My favorite feature of Cribl is that the UI is pretty intuitive, and they have a very good open-source platform.

One challenge that I find with Cribl is that it's nuanced, so if you're not familiar with how to do specific data transactions, it's going to be a difficult solution for someone to use. You have to be educated to a specific degree and understand data communication from beginning to end, alongside understanding the tool itself and how it operates; it can be confusing and challenging for some people if you don't understand how to use it.

I can't sit here and say that I've physically witnessed a decrease in firewall logs with Cribl, but certainly, there probably is one because of the way the redundancy is used for extracting that data. It should be something that's common-sensical or intuitive with the solution if you're utilizing it correctly, meaning you wouldn't upload gigabytes of duplicate telemetry.

My thoughts on Cribl's ability to contain data costs and complexity is that it's an accurate assessment, given that the person behind Cribl utilization is knowledgeable, but there is a steep learning curve. If you're a customer who has no idea how to use Cribl and just buy it hoping to solve your problems, it doesn't work that way. You must have some understanding of ETL in general or just source data, root data, and then what you're actually looking to transform. Just buying Cribl hoping it will solve all your problems is far from the truth. Although Cribl is a great product, you wouldn't give a Ferrari to your sixteen-year-old son right when they get their driver's license; that's the best analogy I can give. Cribl is a Ferrari for data analytics and monitoring, but you don't hand over the power or weaponize that tool for someone who doesn't know how to use it. A customer can definitely do all the things that Cribl claims, but it comes at a steep learning curve and that intuitive cost.

I have been using Cribl in my career for probably over seven years, maybe longer, and I can't recall the first time, but it's been years though. I would say close to a decade.

I haven't personally witnessed any instability with Cribl, and any instability I have seen was caused by user error. This means performing a function within Cribl and then getting error outputs because of something, such as how the data transaction was communicated. I have heard of an issue where too much data gets backed up, but I can't think of the specific term Cribl uses for it. Such issues are fairly common.

Cribl is good for scalability, making it a good product for any organization looking to do data transformation, whether small to medium businesses or large corporations.

I have contacted customer support for Cribl, but it wasn't for anything operational; it was for some knowledge base articles. Their customer support is extremely responsive and very communicative.

If I were to put their support on a scale from one to ten, I would probably give them an eight.

There are plenty of alternatives out there.

The closest one in terms of quality and tools that comes to mind for data management is BindPlane, but those two are not comparable. There are other solutions as well, but there's really nothing Cribl. Other solutions such as Axiom also come to mind, but again, you're talking about comparing Ferraris to Volkswagens or some other vehicle. Comparatively speaking, I can't really think of a solution that operates as well.

A capable engineer should be able to deploy Cribl with ease. As I stated before, the open-source knowledge base is extremely thorough, and one with an engineering background shouldn't have a problem standing up Cribl; it should be pretty easy. The nuance comes with doing data transformation within Cribl, using pipelines, packs, and their specific solutions, which might present a learning curve. However, standing up the solution operationally is pretty straightforward.

Regarding whether one person can do the deployment or if a team is needed, the answer isn't straightforward. In a small to medium business environment, I would say one person can do it. However, for organization-wide deployment, it depends on how efficient, effective, and optimized you want to be. You can't just respond with a direct answer; you have to ask what kind of outcomes and timelines you're looking to achieve. If you're asking me straightforwardly if one person can do it, I would say it's possible, but it's a very misleading answer.

For pricing, I would say that Cribl is pretty standard across any of these other organizations, and it's pretty comparative depending on the ingest. Some people have different licensing models, and you have to consider ingest, scale, and what you're taking in and putting out. For instance, a license for Cribl would be five hundred thousand plus your ingest costs for your datasets, such as all your syslog and your third-party data sources. That being said, there are other organizations that have different pricing models, so it's hard to do a straightforward comparison. Axiom, for example, might have an all-inclusive licensing model around two hundred fifty thousand to three hundred thousand. To do a proper comparison, you would have to look at all the caveats. Overall, the pricing model for Cribl is pretty standard and straightforward.

Cribl does require maintenance from the user. You need to ensure that you're updating, including comments, service versions, and that sort of regular operational maintenance. It depends on specific endpoints and end-of-life considerations, but the general answer would be that you definitely need to maintain Cribl. You can't just deploy it and say you're done.

I am using Cribl Stream for data routing and data processing as part of my company's IT team. We primarily use it for monitoring and collecting data.

One of the best features is integration support because it offers more than 80 to 90 sources and destinations via Cribl packs. Additionally, the security is very good because they offer encryption and access control to protect sensitive telemetry data. The data processing and reduction is also excellent because it filters unwanted fields and removes redundant data.

I have seen a decrease in my firewall logs by 50 to 60%.

Cribl allows me to handle high volumes of diverse data, such as logs and metrics, and it helps manage them effectively.

It is helpful because it handles diverse data types and can process logs, metrics, event streams, JSON, text, structured and unstructured data.

The user interface is acceptable, but I think a person who is just starting to use it will need to go through documentation because there is a steep learning curve to become familiar with Cribl Stream. The setup is also complex, and configuring integrations and pipelines for a large environment requires significant effort.

The areas that have room for improvement are the complex setup and better documentation, such as a user guide.

I have been using this product for six to eight months.

Cribl performs time-to-time updates and maintenance, and it must be managed effectively because we are using it daily and have not experienced any issues for a long time. The team maintaining it must be performing their job very well.

Horizontally, it is quite scalable, so I rate that a ten.

I rate the technical support a nine, and I rate the stability an eight.

I have used Splunk, and what Cribl does is it does not replace Splunk; it optimizes the data before sending it to Splunk, reducing cost and load. Therefore, Cribl is not a direct alternative to Splunk; they are complementary to each other.

The deployment was quite easy.

I do not know exactly how long it took to deploy because I was not the one who deployed it on the cloud, but the ones who deployed it told me that it was quite easy to deploy and there were no complaints from them.

Roughly five to six users use the solution.

I checked out Cribl Search once, and it helped me directly search from S3 data lakes, and it did help me save time and cost.

I have not analyzed the exact amount, but in ballpark terms, it saves about 10 to 20%.

I think it is cost-efficient because overall, after using Cribl, it helps users save cost and time. If you look at the big picture, it is cost-effective.

It saves me about 30 to 40% in terms of time and cost.

I would highly recommend it because it is cost-efficient, helps reduce noisy logs, and filters unnecessary fields.

I gave this review a rating of nine.

Transform data and reduce ingest licencing in other products (Splunk).

I have seen a decrease in logs with Cribl, but I think a lot of people expect it to decrease significantly; we are just slowing down the increase. People need to take into account that the log growth is exponential. I think this is a good takeaway. Also you get your investment back the moment you prolong your other solutions where the ingestion has decreased not sooner.

I think that most people use Cribl Stream, but not the other products; they mainly have the use case to reduce data. To get the other products to work for customers, there need to be better solutions, and it needs to be crystal clear what the product will bring them.

Searching data on the source, is not yet wanted/allowed by companies due to (to my opinion) outdated security rules.

that the right data is in the right place. talking about transforming and only sending the parts of the logs that are useful, reduce of noise.

I think the best features in Cribl are that you can do everything via the UI, making it very user-friendly, and you can see examples of the data live to preview your processing.

Using Cribl for five years has simplified a lot of use cases when onboarding data, and because it is simplified, it takes less time, which is a huge win.

I think a lot of companies would benefit from a smaller starting license. Perhaps make it free till 100GB for 1st year, that way companies will adopt easier.

I have been working with Cribl for five years.

I would rate the stability an eight out of ten because, although I rarely experience downtime, I would say it's an eight out of ten.

Cribl works fine if you scale properly, handling high volumes of diverse data like logs and metrics effectively.

Cribl is scalable for my organization and I would rate it a nine, but when onboarding a new data stream, it is sometimes hard to know how much impact it will have in your environment. Based on some calculating figures, you don't know beforehand what the impact will be.

I would rate the technical support for Cribl a nine.

Positive

No, other companies offer bits and pieces of what Cribl does, but not a comparable solution.

My experience with the deployment of Cribl is that it's really easy.

It takes a day to instrument Cribl, but onboarding all the data takes weeks.

In my company, Cribl is purchased directly, but in another company I worked with, it was via a partner.

Its an easy win for larger companies, other ingestion costs are for instance 600 dollars per GB per year and cribl maybe like a 100, thats a 500$ win per gb, so easy to get money back. the starting license however is 1tb which might by a drawback for smaller companies.

Its an easy win for larger companies, other ingestion costs are for instance 600 dollars per GB per year and cribl maybe like a 100, thats a 500$ win per gb, so easy to get money back. the starting license however is 1tb which might by a drawback for smaller companies.

I think Cribl is quite a unique product with no real competitors; there are competitors that do bits and pieces, but not the full product. If you take Splunk, you can do bits but you cannot send your data to other platforms, so it isn't really a comparison.

There are no cons for Cribl that I can think of.

Approximately 15 users work with Cribl in my organization because we don't allow everybody access, so it's local.

Cribl does not require much maintenance; just some updates from time to time, but those are really easy.

I do not use the new Search-in-place technology in Cribl Search because it's not allowed in the company that I work for.

I give Cribl a nine because it is very simple to use and it covers a lot of use cases. Best part is you can talk directly to developers / technical support on slack.

My use cases for Cribl basically involve being part of a Splunk theme organization where I was brought in to do a soft confirmation program, and I was onboarding more and more logs into Cribl as my license costs kept going up. We did some filtering using Cribl.

What I liked the most about Cribl is the way it handled firewall logs and the way it could handle Microsoft Windows server logs as well.

Cribl's ability to contain data cost and complexity is actually very good. I don't have a problem with Cribl whatsoever. It's not one of those products that says it does something it doesn't. I still think that vendors trying to compete against Cribl are going to lose this one.

Cribl handles high volumes of diverse data types such as logs and metrics very well. I was handling approximately three terabytes of logs a day, and I have had no problems with it at all. I'm sure there are bigger organizations out there, but three terabytes is still substantial. The enterprise organization I worked for had over a hundred thousand employees on a global scale and twenty thousand servers, so it's a big company.

Some downsides of Cribl include that it was quite a long sales cycle for us, but that was probably partly my fault as well. There weren't really any negatives on the product itself.

Cribl can do better by tightening up their Cribl packs, as I think there were numerous flavors of different configurations that weren't supported. There were a lot of unsupported Cribl packs and they probably need to get that certified or do something about that.

I have been using Cribl in my career for about two years in a previous role.

Regarding stability, I have not seen any lagging, crashes, or downtime at all with Cribl.

Regarding scalability, we obviously worked for a larger enterprise-based organization, and we had to build resilience into our solution. Cribl was scalable, so there were no problems with it.

I know we had access to Cribl University. I don't think we actually made any calls to Cribl support.

Neutral

I have used alternatives, and we evaluated the Splunk offering. I can't remember the name of it now. Splunk had a name for it, but that wasn't as good because it didn't actually segment the logs into different buckets. I had to ingest the whole bucket, and I didn't want that. We did look at other products on the marketplace, but obviously vendor-specific to Splunk.

The initial deployment was easy. We had a design, and we went through our own processes internally to get that all done. We put some exceptions criteria in place for what we did, and we built it out in the cloud, and we did the connections cloud to cloud. It was paced as easy.

For the deployment, we had two people: my internal guy and the Cribl presales engineer who helped me out.

I have seen a decrease in firewall logs with Cribl of about seventy percent.

Regarding current pricing, it was based on an ingress-based model that we used, and it was favorable. It was cheaper than the Splunk license. We didn't have a problem with the purchase.

It took us only a couple of weeks to fully deploy Cribl. We got it up and running, went through batches of what we were doing, and set up the Cribl stream and the heavy forwarders, and got all that working. It wasn't too bad. We looked at some of the Cribl packs, which are the predefined configurations. It was easy to get set up. It was cloud to AWS cloud in our case.

Cribl did not require any maintenance on my end. I'm not the technical person; I'm the program manager. I would rate this product an 8 out of 10.

I recommend Cribl as a solution to customers who have a lot of telemetry data because it provides flexibility within data routing.

It saves us a lot of time because the auto-deploy and auto-updates from one central panel is much easier to manage. When managing deployments manually, it takes 10, 15, or 20 times more time compared to using a central management UI.

One advantage we've seen is that during customer presentations, we can ask customers which specific use case they want us to present, and then we can use Cribl AI to present that. This has enabled us to present use cases that aren't even security telemetry.

We had a use case where we didn't know how to proceed at all, so Cribl helped us 100 percent. We didn't have any knowledge going in on how to collect temperature data and harmonize it into one format when the customer wanted us to showcase different temperature scales such as Fahrenheit and Celsius, along with different decimal separators like commas and dots.

Cribl is very easy to get started with, and you can get going very quickly. It has an interface that is very user-friendly, so you can set it up and start connecting sources with consumers fairly quickly.

Cribl offers a lot of what they call packs, which are valuable resources. However, I do think you need to be a pretty technical person in order to make sense of the UI. The product is not easy to use for just anyone.

Cribl works well and is fairly easy to set up, especially with firewalls, which are one of the baseline use cases. As long as there are packs available, it's a really good product and easy to manage. However, if there are no packs and you need to code it yourself, the learning curve is a bit steep. Thankfully, Cribl AI is now available, so you can prompt inside the tool and get help on how to set up all of the different rules.

One thing I think is that Cribl is very dependent on the packs. If you don't have packs and you need to do things on your own, it's not trivial. You'll have to make a real investment in training and experimentation.

Cribl needs to think more broadly. The product really comes down to having a higher level of flexibility in data routing. You can send data to multiple destinations at the same time and you're not locked into anything.

I would like to see an investment in a broader range of use cases beyond security telemetry data. For instance, I know that the railway industry is very interested in finding data pipeline tools for the data that trains create when they're driving.

I have been using Cribl for about two years now.

Cribl is very stable and scales really well. Besides the fact that the worker nodes consume a lot of resources if you push them, it scales very well. It's easy to spin up new nodes, and they're very stable.

I think the Cribl team is awesome. In Sweden, they're really great. The cybersecurity market in Sweden isn't that big, so it's the same people working in the industry. The Cribl team in Sweden is really a great team, and it works really well with our organization.

I work with Logstash and Gigamon, which are the main two tools I've worked with. You can also do some things in the command line, but they're more efficient with how you integrate, so that's another way to do it.

Cribl feels a lot easier to use and more intuitive. It gives you more capability, and you don't have to work as hard to set things up.

Cribl is a little bit more pricey than Logstash, which is one disadvantage.

I strongly recommend doing a proof of concept to see Cribl in action and always do an ROI calculation. Don't be surprised if you save money in the end on investing in Cribl.

I work with Logstash and Gigamon, which are the main two tools I've worked with. You can also do some things in the command line, but they're more efficient with how you integrate, so that's another way to do it.

If you're very efficient in Splunk or in Sentinel, then you could argue that you don't need Cribl because you won't save that much money. However, they are two different products with their own pros and cons.

Cribl is very focused on security telemetry, but I feel their product has really good use cases for other things, such as the temperature example I referenced earlier.

Cribl is not a solution for the smallest customers because you need to have a certain throughput of volume. If you have just 200 users, then Cribl is not the appropriate tool to discuss.

The main product we work with is Cribl Stream. I would give Cribl a rating of 9 out of 10.

We started using Cribl one year ago for data optimization.

Currently, we are using Cribl for its one terabyte ingestion that is free, which is one significant advantage. We are using it for that purpose only at this time. We are a customer and we are planning to purchase it, with almost a deal in progress. This month or next month, we will be purchasing Cribl.

Currently, we are not using metrics; we are using Cribl only for event-type logs. We do not have much data for metrics, so we are directly flowing that to Splunk. For logs, we are using Cribl, and there is also monitoring available, which is very good. Cribl's monitoring dashboard has a lot of graphs by default, so we can use that to populate our searches and run them, which is helpful.

We are using Cribl Stream for our streaming purposes and not using Edge due to our existing Splunk agent deployment. We occasionally use Cribl Search to investigate, especially during the deployment phase, which allows us to search some internal Cribl logs. We use Cribl Lake to store the internal data.

We utilize Cribl Search only for internal purposes. For example, when we experience back pressure issues, we search that particular source in Cribl Search to check their source logs, how back pressure was created, when it occurred, and what errors arose. We only keep internal logs in Cribl Lake, enabling us to search them. Cribl Stream's monitoring dashboard shows everything, including when there is a spike, the KVP data, and all related information.

Cribl's best feature is that the UI is very simplified, so if a new person is there, they can easily understand everything. The UI is very simple and good. Other than this, data flow and data visibility are among the best features. We can directly see how our data is going from where to where and with the live data, live logs, everything we are able to see.

I find that it is very easy to describe my experience with the user interface when managing log processing tasks. It is very easy to manage all the data and all the data flows. Everything in the UI is very easy. Also, there are a lot of sources, a variety of sources, a variety of destinations available, many ports, data, and many scripts. Everything we think of is available in Cribl, so from wherever we think we can get the data and wherever we want to put it, we can put that as well.

For firewall logs, there is a default parser available in Cribl, so we are using that parser. In addition, there are many default parsers for various firewalls such as Palo Alto and Fortinet. This is very helpful to us as it will extract all the data, and we can remove the fields that are not required, which is reducing a lot. This is one reason we are purchasing Cribl for Splunk.

Cribl brings two main improvements to our organization. The first improvement is cost saving, as we can save a lot of cost by reducing the data. The second important improvement is the data quality, which is also one of the most critical aspects because it filters the data and makes it whatever we want to see. Cribl helps us manage our data quality very well. Since we are in the beginning phase of using it for one year, I believe this product will help a lot as time goes on.

One improvement Cribl could work on is Cribl's Git integration. If I want to integrate my private repository, I can do this, but there is a specific format required in Git. If I commit something to Git, Cribl won't pull it automatically. We can upload from Git to Cribl, but not the other way around, so that is an area that needs to be addressed.

We started using Cribl one year ago for data optimization.

Stability-wise, Cribl is a very stable platform with no issues.

In terms of scalability, Cribl is indeed scalable. We just need to increase the license. Currently, we pass 600 to 700 gigabytes of data through Cribl, and we plan to increase more, up to two terabytes. For that, we will need to purchase an additional license, but as time goes on, we just need to increase our license.

I rate the technical support as a nine out of ten.

There are other vendors such as Splunk, which includes its default solutions such as Splunk Edge Processor or Splunk Ingest Processor. I have heard about them, but they tend to be very technical, requiring a lot of queries. While there is a UI available, you cannot see the data flow properly. It becomes very difficult to manage your data on other platforms. In contrast, Cribl simplifies everything, with default systems and routes that allow your data to go through a pipeline to its destination. There is a straightforward flow where you check live data, can test your pipeline, and it is all very simplified compared to other platforms, which often require excessive queries to resolve issues. Fixing problems in Cribl takes thirty minutes instead of wasting a whole day in other products.

Cribl's deployment is very easy and straightforward, similar to Splunk. If you know how to install Splunk, then it is a copy-paste process. It is not complex for us since we also deploy Splunk on-premises.

For now, we are just an end-user.

Currently, we are using Cribl on-premises, and I think we have not explored it much. However, I can say that everything is good; I do not find anything needing improvement since I do not have a deep dive into this product.

Maintaining Cribl is easy; we do not see any downtime or major issues at all. Sometimes we experience back pressure issues due to source spikes, but they are acceptable as they come from the source and not from Cribl's end. Cribl effectively manages these situations, addressing spikes from sources and destinations.

As of now, we maintain five years of data, and we have not changed that. However, we plan to increase retention from five years to seven years with Cribl since we now have less data. Currently, we have 100 terabytes of data, and eventually, we aim for 700 gigabytes, which is significantly less.

I will surely recommend Cribl to everyone who has data exceeding one terabyte because it helps a lot for such customers. They can send data to multiple destinations and stream solutions, significantly enhancing data quality and reduction. Thus, purchasing Cribl is essential for them.

I give Cribl an overall rating of nine because I am not well-acquainted with Cribl Edge. I have just heard about the in-place search feature, but I have not explored that area, so I cannot comment on it. I am familiar with Cribl Stream, Lake, and Search, which is why I give it a nine instead of a ten.

I use Cribl for optimizing Splunk data. For example, I have approximately 10 TB of daily data integrations. I route the data through Cribl, optimize it, and index it into Splunk, reducing it by 30 to 40 percent. For instance, at 10 TB of integrations, it becomes 5 TB after Cribl optimization. I use Cribl for firewall logs, event logs, Windows logs, metrics logs, and EDR logs.

The feature I appreciate is the connection between Splunk and Cribl, which is very useful for routing data and pipeline filtering. Cribl has a central management system that controls all data pipelines and configurations.

Cribl works centrally by using the main Cribl instance and managing configurations, pipelines, routing routes, and all worker nodes. The leader nodes act as a central node and manage pipelines, route packs, and configurations while distributing them to the worker nodes. The worker nodes process actual logs and send the processed logs to destinations such as Splunk, S3, and other SIEM tools.

Cribl pricing is a concern. Cribl Streams is very powerful but costly as it scales with data volumes. For large and heavy systems, it becomes pricey compared to other similar tools. While it is flexible, it is not beginner-friendly. Pipeline routes and transforms can feel complex at first.

I have been using Cribl for my business for the last 1.5 years.

Sometimes Cribl goes down, and we miss logs during that time, which is an issue. I experience downtime with Cribl, and this is the only issue I face. Otherwise, we do not have any other issues. When there is downtime, we cannot get logs into Splunk, and based on those logs, we get alerts and crypto triggering repeatedly, creating multiple incidents and sending emails to our customers, which is very problematic during downtime.

Cribl is excellent for scalability. It is good overall for pipeline maintaining, horizontal scaling, distributed architecture, parallel pipelines, and load balancing. We handle real-time data with several GB of data per day and one TB of data, which is a very high volume of observability pipelines. Multiple pipelines run at once and different data sources process independently. There are no signal bottlenecks, and managing configuration is straightforward. Overall, it is long-lasting and good for stability and scalability.

As of now, I do not use any alternative to Cribl.

The initial setup is moderate. It is not too hard and not too easy. For experienced people, it is very easy. One person is enough for a Cribl deployment if you do not have a very large environment. Otherwise, you need different types of people at a large-scale environment. For beginners, it is moderate, neither too hard nor too easy. For experienced people, it is very easy because they have experience with it.

All the nodes and components can be deployed from start to end within a certain timeframe. A quick setup following the official guide from the documentation takes approximately one hour. Normally, production setup takes one to three days. The breakdown is approximately two days for deployment and configuration, and the third and fourth days for pipelines and testing. A full enterprise deployment at a much higher level takes one to four weeks, depending on the difficulties and architecture involved.

For the current user at a small level, the pricing is good. At a large level, it is not too heavy. The main model of pricing is based on data integrations at approximately $0.32 per GB for ST enterprise estimate. This is good and not too high or too low, falling within a medium-level range.

I have used Cribl Stream for filtering service logs, reducing data volume before sending it to Splunk, and enriching logged data with custom context.

Cribl features integration support since it works with 50 plus sources and destinations, data routing and flexibility allowing me to easily route telemetry to multiple destinations such as SIEM, data lake, and cheap object storage, and data processing and reduction because it filters out unwanted fields, removes redundant data, and restructures logs before reaching systems, which is helpful in saving cost and improving performance.

We have observed a 30 to 40% reduction in log volume hitting the firewall.

Cribl Stream handles a high volume of data very efficiently as it is designed to process log metrics and data from multiple sources in real time without major performance impact. We tested Cribl Stream with different types of machine data and even with large ingestion volumes, and the platform remains stable because of its distributed and horizontally scalable architecture.

I can assess Cribl's ability to handle high volumes of different data types, as it can handle multiple formats because it supports structured and unstructured data formats such as JSON, CSV, XML, and plain text logs. It processes and transforms data in real time with low latency. In our PLM environment, we had logs coming from multiple enterprise systems and services, and Cribl helped normalize and route those diverse logs efficiently before forwarding them to Splunk.

My experience with the user interface when managing log processing tasks is quite complex for new beginners, and there is also a documentation gap that leads new beginners to take a while to get fluency over the software.

Areas that have room for improvement include the complex UI for beginners and the documentation gap. One challenge initially was configuring pipelines and understanding parsing rules because of this gap, and I think there should be more plug-and-play integration examples for common enterprise tools.

I have been using Cribl for 13 to 14 months.

Cribl is a stable solution, and overall, I give it a 10.

Cribl's architecture is quite scalable because it horizontally scales whenever required, so I give it a nine for scalability.

I would rate the technical support as nine out of ten.

This is my first time using this type of solution, and I have not used any other alternative or competitor solution, so I am not aware of other options.

My team members mentioned that it was not difficult to deploy it; it was handled by two of our IT team members.

I find the pricing of Cribl to be cost-efficient because it has helped us save costs for data storage by removing unwanted logs.

I am aware of Cribl Search and its new search in-place technology, but I have not used it.

I am pretty new to Cribl and have only used Cribl Stream, but I am looking forward to exploring other products such as Edge, Search, and Lake.

I would highly recommend Cribl because it has been very helpful in cost optimization. I give this review an overall rating of 9.

I use Cribl as our data ingestion source, with Cribl Edge agents installed across all servers. Cribl is used at the pipeline or routing level to send data to our SIEM platform.

Firewall logs are sent to Cribl, and Cribl routes specific logs to our SIEM tool while sending others to archive storage. This segregation and separation capability is not possible with any other tool, which makes me very satisfied. However, Cribl charges us for all firewall logs that it observes, not just what it processes and outputs.

Cribl performs parsing and field reduction exceptionally well, cutting down unnecessary fields and delivering only the right data. However, Cribl charges for everything it sees rather than just what it parses. We might ingest a large volume of data but only process about forty percent of it, yet we are charged for one hundred percent of the data ingested into Cribl.

The ability to bifurcate or trifurcate data and send it to multiple destinations is a feature we love. I have been a Splunk user for over eight years, and this is something Splunk did not have until Cribl introduced it specifically for this purpose.

Cribl handles logs, metrics, and various data sources really well. I have ingested up to fifty terabytes of data per day, and Cribl has never failed or caused trouble from that perspective. Cribl handles huge volumes of data exceptionally well.

A feature I would want Cribl to add in future releases is the ability to create a greater number of fleets. Currently, Cribl has a limitation on the number of fleets that can be created. In an enterprise environment, different types of servers belong to different applications and should be organized accordingly, as each has a different change management cycle and upgrade cycle. Cribl cannot be upgraded all at once, so we want to separate fleets so we can perform upgrades in batches rather than all in one shot. Increasing the number of fleets would be greatly appreciated.

Data cost is a concern, as Cribl charges for everything it sees rather than everything it processes. I do not see much cost-effectiveness from this approach. If we could do pre-processing before sending data to Cribl, then Cribl would be cheaper than other tools, but if we could do that, we would not need Cribl at all. This costing model has been concerning for a while. Better options based on user base, enterprise size, or data volume would be beneficial. More options to choose from for pricing tiers are needed, as the current offerings are very limited.

I have used Splunk previously and have been using Palo Alto XSIAM. Palo Alto XSIAM has integrated features from Cribl, Splunk, and Sentinel into one comprehensive tool, taking the best features from all three. Another concern is that there is not much default alerting available for Cribl metrics, and custom alerting is also difficult to configure. For example, backpressure monitoring has only very limited use cases available out of the box when monitoring Cribl environment health. Cribl could take steps to increase the number of use cases and add guardrails around how much volume can be ingested. Options to create custom alerting would be helpful, such as alerts when certain metrics go down or up, or when the catchall is filling up. These options exist but are very complicated to set up. Unlike users who have been using Splunk for ten years and transitioned to Cribl, I find it very difficult to navigate and create alerts in Cribl. The ease of use could be improved by providing default options that can be leveraged and customized as needed.

Cribl initial deployment was easy, but for large enterprise networks and big organizations, Cribl does not support operating systems earlier than 2012. This creates a problem, and a package should be available for anything below 2012 that works as expected. Currently, Cribl only approves packages for 2012 and above, but some organizations require applications to run on legacy servers. This option is not available, and we are unable to get Cribl installed without finding alternatives or going back to using Splunk to pull data and then stream it to Cribl. This causes significant operational challenges, and if this could be fixed with one version that supports everything below 2012, it would be greatly appreciated.

Cribl is deployed both on-premise and in the cloud. Cribl placed sample data in one of the YAML files that contained examples of personal data like social security numbers or credit card information. When this YAML file was included in Cribl package itself, vulnerability scanners detected it as a non-compliance or data loss concern, even though there was no actual personal information, API keys, or sensitive data present. These were just examples provided by Cribl. Cribl fixed this issue in the latest version after we brought it to their attention. Going forward, I would like Cribl to think about this from a bigger enterprise perspective, as endpoint security tools will detect all of these concerns. It is not just about processing data but also about the problems faced when deploying it in a large enterprise. This thought process needs to increase from Cribl's side.

I have used Cribl for over a year.

A dedicated support portal is available, and support cases are usually raised through a dedicated email. Responses are received at reasonable times, so this has not been a problem. I would give support a rating of seven out of ten.

Our use case for Cribl is actually a data pipeline where we collect logs from the source and we stream it through Cribl and then to a destination. The destination is mainly the SIEM tools such as CrowdStrike or SecOps. We collect the logs from various sources, and even the Windows logs are streamed through Cribl worker nodes and data lakes. For example, if it is AWS, from the S3 bucket we stream to Cribl and then send it to Google SecOps, which is the primary SIEM we are using.

The best feature in Cribl, when getting logs from some custom application, is the ability to break up logs that pile up together and come as one event. 

Cribl has a feature called JSON Unroll or Unroll function that allows you to differentiate the events; each event will come ingested as a single log instead of piling it up with multiple events. This is critical as this generally happens in CrowdStrike. This feature helps us significantly.

When the ingestion is high from unwanted logs, logs not related to security purposes can be dropped by writing the parser function. By dropping events that are not required for security purpose monitoring, we can reduce the ingestion, which drastically reduces the cost as well. Cribl gives another option where I can store some logs, and when needed, I can pick them up from there.

The interface is very handy and not very complicated, yet there are many functions you can perform. You can play around with numerous functions, parse there, and add UDMs to SecOps, which makes it really easy.

To simplify the pipeline, when we go to the pipelines, there are vast options. We can make it specific requirements based on the customers. I would prefer a customized or simplified version. Cribl is a very good platform to work with, with lots of features that other platforms don't provide.

Cribl is a stable product, however, there are areas for improvement. Their documentation should be updated.

I have been using Cribl for a year and a half.

Cribl is a stable product, but there are areas for improvement. Since Cribl is on-premises, server maintenance is required, and we have an IT team specifically to look into that. We are not worried about that.

There is a similar platform by Google called BindPlane, which is not capable of handling high volumes of data as the data gets stuck in the pipeline, causing ingestion delays. 

However, Cribl does not present that problem. Since I have worked with both data pipeline tools, I can compare and say that Cribl is more mature than others.

I have not reached out to Cribl support. That said, my colleagues have.

Positive

I'm using another product called BindPlane, which does almost the same things; however, Cribl is a very mature product with many functions. You can use the Eval function, Unroll function, break events, add any particular field you want, or parse in Cribl before sending to a destination.

The initial setup involves dropping some events that are not required for security purpose monitoring. This is based on suggestions from our SOC team or customers.

The deployment itself is a bit compicated and the documentation is not very clear.

We are a partner with Cribl. We have CrowdStrike, and CrowdStrike has partnered with Cribl; they even changed the name to CrowdStream.

It has saved my cost and our customers' cost drastically since I cannot drop the logs directly in SIEM. In Cribl, I can drop the logs, and when I'm not ingesting them, their licensing cost is drastically reduced.

Cribl Search is quite handy; you can use regex where there's a function that contains, and you can search for a specific keyword, which shows everything that matches that keyword. After playing around a couple of times, it becomes easy. At first, it is complicated; you need to go to worker groups, select the data lake, select the worker node. Once you get used to it, it's quite handy. I would definitely recommend Cribl to other users. 

Based on my experience, I would rate Cribl eight out of ten.