Cribl Reviews

Our use case for Cribl is that we want to make sure that we parse everything correctly, and it is easier for us to transfer our data in our system in a more compact way; it runs smoothly.

We're in the beginning stage of using Cribl, but the reduction in firewall logs will help significantly with processing speed. We just worked on handling high volumes of diverse data including logs, metrics, and files last week, and it ran very smoothly with quick processing.

The best feature about Cribl is how easy it is to move; the UI is very simple, everything is very neat, and everything is organized. We have been dealing with Cribl extensively recently.

Cribl is awesome. The university offers a lot of great resources, but there could be more detailed information about Cribl itself. It would be helpful to have a step-by-step guide that covers everything from the basics. Since Cribl is such a large platform with numerous features, having a clear, structured approach would make it easier for me and others to understand and utilize its capabilities.

I believe it would be beneficial to have a step-by-step guide for users on our endpoint. This would make it easier for them to understand how to use it. When I explored the endpoint, I found myself wishing for clearer instructions presented in a sequential manner. This is just a small critique based on my experience using it so far.

We started using Cribl around three months ago.

I would rate stability as a nine; nothing is perfect, but it's great. 

I would definitely give scalability a nine as in terms of what we're seeing and thinking about, it's solid.

We have around eight or nine users. Everyone is touching base with it. For now, it will stay at eight unless we expand. We are going through an expansion, so it’s possible we might increase the number of users; but for now, we’re steady at our current count. We are a medium-sized business.

Their customer support is fantastic.

We were using a manual solution previously; this transition to Cribl is our first time implementing an automated solution.

We are typically on-premises. I believe Cribl is currently focused more on the OT side because the primary customer base is more enterprise-oriented. OT relies heavily on this. However, if I'm not mistaken, we operate in an on-premises or hybrid environment; we are definitely not using the cloud.

We are still in the process of deployment, and so far, the deployment has been going fairly well and has been relatively quick for us.

We are in the transitioning stage; we're implementing everything from square one with our team, participating in daily calls to make that happen. We are experiencing some issues with data transfer and parsing errors, which is extending our SIEM transfer time.

Based on what our managers say, we have saved a significant amount of time and resources moving from a manual approach to something that's more automated.

As I visited different booths at the conference, I realized that I still prefer Cribl. Even though I haven't worked with any other platforms, I was impressed by how everything is laid out and how simple it feels to work with your system. I genuinely appreciate the user interface. I find it straightforward and well-organized, making it easy to navigate.

I also noticed that they have implemented something like a password manager, which sounded familiar. Overall, everything I saw reaffirmed my preference for Cribl. So, despite checking out various booths, I'm still committed to Cribl at the end of the day.

I would definitely recommend it. The user interface is great, and the customer support has been fantastic as well. Our experience with Cribl has been very smooth; everything runs seamlessly. There are no delays or sluggishness, which I really appreciate. I have to give it props for that; everything operates very smoothly.

I would rate Cribl a nine out of ten.

I use Cribl to move data and help with moving data, connecting different data sources to different destinations, which is what I mainly use it for.

I also use it to help parse the data as well.

Something that I really appreciate about Cribl is the preview feature. Whether it would be on the JavaScript I'm working on, it shows me the output in real time, which really helps with development.

I also appreciate the preview feature when it comes to data pipelines, as it shows me in real time how my pipeline would be working with the data. Additionally, I really appreciate the live capture feature as well to get an idea of how the data looks at different stages in Cribl environment.

I think Cribl is an excellent tool for helping to manage data cost and keep it down as well as manage complexity.

Cribl has come a long way. I've been using it for three years, but there are still a lot of other features that I would appreciate regarding new data sources. One example would be open WebSockets.

There's currently not a native feature for that, so that requires a lot of time in development. I would also appreciate better support for JWT tokens for a REST API collection. While sometimes it does work, it seems very janky and seems like a stitched-together solution. It would be nice if there was a more supported version to help with JWT.

I've been working with Cribl for a long time, at least three years, maybe more.

Cribl is very robust. It's not perfect, but very good stability.

Cribl is very scalable. The product itself lends itself well to being scaled. Any issues I've had with scaling have mainly just been human issues of people not wanting to scale, but the product itself is very capable of scaling.

The speed was fast. The quality, however, there wasn't a solution just because I think it was a bug and it was never fixed as far as I know. The speed was nice, but there was never a solution provided.

Negative

I use Splunk.

From what I understand, I'm mainly on the engineering side, not the sales side, but the pricing is very competitive. Although the pricing can be a little bit high, I know that Cribl as a product helps save a lot of money by reducing data storage. The pricing is offset by the money I save by using Cribl.

Cribl does require maintenance, especially if I'm deploying it on-premises. If I'm deploying on-premises on my machines, I've just got to make sure that they're being provisioned well, that they're being updated successfully, and that they're constantly balancing the worker processing across them.

I definitely prefer Cribl more, mainly for the UI and the preview feature that I mentioned about being able to see in real time my in and out for development. I think that speeds things up a lot.

However, I do like Splunk a lot too.

I think Splunk is better tailored for visualizations and presenting to clients, especially around metrics. I think I can do some visualizations and presentations of metrics in Cribl, but it's not as robust as Splunk.

Definitely for large corporations, they would see the most benefit, but I think small and medium businesses could also benefit as well.

Our main use case for Cribl was primarily data reduction, as we were spending a lot of money on data ingest, and we brought Cribl on board to reduce the amount of money we were spending on that ingest. 

Reduction in firewall logs was our primary use case for Cribl, as 80% of our data is Palo Alto firewall logs, and a lot of it we don't necessarily need in the SIEM tool, so we use Cribl to reduce that, keep only the stuff we want, drop the rest, and keep it out of the SIEM tool. The reduction in firewall logs keeps the unwanted data out so that when the security engineers are inside the SIEM tool, they only see the stuff they need to see.

The features of Cribl that I appreciate the most are the vendor agnosticism and the ability to send data almost anywhere you want, regardless of the data type, the format, or the destination; it's very flexible, and we've been able to integrate it with the tools that we have used in the past and are planning to use in the future.

The UI is very clean and super intuitive, making it very easy to bring data on via the sources, route the data to any number of destinations that you want, and create pipelines to transform and morph that data however you want. 

Cribl is great in the sense that it can handle a large amount of volume and scales with the amount of data that you want to bring on board; if you need to bring on board more data, you just increase the amount of workers that you have.

We use Cribl to reduce data cost and complexity by both dropping fields that we don't want or parts of events that we don't want while keeping the things we do want, while also keeping all of the data, the event in its full form. We're a government agency, so we ned to keep everything. With Cribl, we can have our cake and eat it too, in a sense.

I'm an engineer, so I think about logging. Improvement could be made in the logging area, as sometimes we encounter issues in a pipeline or something, and it's not immediately obvious when you look at the logs that the pipeline is failing.

I've been using Cribl for around four years.

I would give Cribl a great rating on stability and reliability, especially if you use the built-in alerting engine that they have, as you can get alerts directly if there are any problems with the worker itself or worker processes, and the built-in monitoring page makes it super easy to monitor the health of all your worker processes.

Cribl scales great with our company as we're actually bringing on a lot more data with all the AI tools rolling out, which generate a lot of logs, and Cribl scales horizontally by just adding more workers and worker processes, allowing us to tackle that data smoothly, quickly, and efficiently.

We've had a great experience with Cribl customer service, as we have dedicated PS resources that have been super helpful when we were rolling out Cribl initially, migrating sources of data from syslog over to Cribl, routing, and parsing, with the support being A+ on both the PS side and the technical support side.

Positive

Cribl is really the only tool out there that does what it does, especially when looking at Splunk, as when Cribl first came out, Splunk wasn't able to intuitively do a lot of the things that Cribl did just out of the box with a GUI, making it super easy. 

We were dabbling in data reduction, transformation using Splunk's Universal Forwarder and even the Heavy Forwarder in some instances, but it was just not as intuitive, with a lot of command line interaction and no GUI on the front end, making it harder to do, while Cribl makes it super easy.

When we deployed Cribl, we were on-prem. All of our workers are on-prem. Our leaders are on-prem. Nothing's in the cloud. The major challenges that we faced really were related to the load balancer that needs to sit in front of the workers. I would like to maybe see that rolled up into Cribl in the future. That posed a lot of challenges for us just coordinating with our infrastructure team, getting the F5 engineers involved, using F5 load balancer. That was a challenge for us. We ultimately tackled it, however.

From my point of view, the biggest return on investment is just the downstream licensing costs we save on the SIEM side; we've reduced our data by a certain amount, and it has almost paid for Cribl itself and also allowed us to chop some licensing off of the SIEM side. We've reduced our amount of ingest by about 40% overall.

I'm not really involved in the pricing and payment aspect of Cribl. I'm just the guy who implements it all once it's bought and paid for.

We're not using Cribl Search at the moment; we're only using Stream and Edge.

If you're a company out there considering Cribl, I would highly recommend at least giving it due diligence; get linked up with the sales rep, as they're going to explain everything to you, and the sales engineers are great and very knowledgeable, making it worth your time and money, so you're going to be glad you did. 

I rate Cribl nine out of ten.

I have been using Cribl for about a year in my career. As a consultant, my job nature involves working with clients and coming up with solutions. Many of my clients are interested in observability, so I evaluated Cribl as a potential tool for their needs. Cribl is a relatively new product, and I have been involved with it since last year.

What I appreciate most about Cribl is that it addresses a major gap in the market compared to the competition. Splunk is extremely expensive, and many of my clients are financial institutions, including big banks, insurance companies, and fintech payment companies in Canada. While they already have Splunk installed, it is costly and sometimes does not meet their needs. Cribl offers significant advantages because from the source, you can collect all the data you want and filter and transform it.

In recent years, many of my clients are focused on fraud prevention, AML compliance, and regulatory requirements. They have numerous MRAs that they need to remediate and show evidence for. Cribl provides better control over data sourcing and allows them to demonstrate good control of their data.

I appreciate that Cribl provides better control of data from the source, which translates to better control over the cost of data and complexity. Many of my clients have sources of data across different platforms, and Cribl allows them to manage data from all these different sources in one place.

One area for improvement would be the certification path for Cribl. I understand there is a need for higher-end certifications, but it would be beneficial to also create certifications that are more accessible for business people or consultants. The current engineer certification is quite rigorous and not easy to pass. While keeping that rigorous option, providing another option for business or consultant users to get certified would be valuable.

I have been using Cribl for about a year.

Regarding stability, I have not experienced any lagging, crashing, or downtime with Cribl.

I believe Cribl is suitable for both large corporations and the small and medium business market. Some of my clients are very large banks in Canada, including one of the largest banks in the country. However, I also work with smaller clients, such as smaller insurance companies. Cribl performs effectively across both market segments.

I have contacted technical support for issues and had a positive experience. I started by opening a ticket from their website. I have dealt with other vendor products in the past where support was unresponsive, but Cribl's support is very good. I was pleasantly surprised by their quality and speed of response. I would rank their support at an eight out of ten, though I acknowledge that I tend to be overly critical.

Positive

While I have not personally tried similar solutions, my clients have been using Splunk, which is the most comparable solution they have relied on for a long time.

I have not done an actual deployment myself, but my understanding is that the initial deployment is easy.

Regarding maintenance on the client's end, there is some administration required. Standard updates from Cribl, such as security fixes and bug fixes, are typical maintenance tasks. I would need to review the specific details to provide a more comprehensive answer about all required maintenance.

I do not know the exact pricing because as a consultant, I am not privy to the exact numbers my clients are paying. Pricing often includes deals and investments from vendors. However, based on feedback from my clients, Splunk is more expensive, and Cribl appears to be more affordable.

Regarding pricing for Cribl, I cannot speak to exact numbers because as a consultant, the clients handle the financial details. Deals between vendors like Splunk and Cribl often involve special investments, so the pricing varies. Based on what my clients have shared, Splunk is significantly more expensive, and Cribl appears to offer better value.

I contacted technical support for issues and had a very positive experience. I would give this review an overall rating of eight out of ten.

Cribl is used to manage routing of different log systems and vulnerability type log scanning and retention, which is then re-routed to log retention servers. Firewall logs are sent directly from firewalls into Splunk, which is where Cribl also sends data, so Cribl is bypassed for firewalls. Cribl is primarily utilized for internal servers, systems, and endpoints.

The ability to make different variations and adjustments within Cribl to scan for specific items or to get an overall scan is valuable. Cribl's ability to contain data cost and complexity makes the system much easier to use. The cost is higher than preferred, but it is considered the cost of doing business. Data ingestion costs increase with higher ingestion levels, but by maintaining similar or lower levels and refining tuning and ingestion as it comes, costs have been maintained and remain within expectations.

Cribl's interface is user-friendly and easy to learn, making it simple to teach new users how to use it.

Cribl handles a high volume of diverse data types very well, such as logs and metrics. However, the endpoint plug-in tool can use some refinement, as it tends to hit system resources and can sometimes be detrimental to systems to the point where it must be turned off and a scan restarted when a user is offline.

Outside of the endpoint issue, there may not be much that Cribl can do better in the program itself. It becomes tedious when one-off fixes are needed because a user submits a ticket complaining that their system is unusable due to Cribl performing a scan.

Cribl has been used for approximately six years in a career, not necessarily on this job only.

No lagging, crashing, downtime, or instability has been observed in Cribl itself, only in the endpoint scanner. The system itself has been very solid.

Cribl is fairly easy to scale. If ingestion levels need to increase or decrease, adding new nodes is not an issue. Adding the endpoint scanner is not difficult and is fairly easy to use and upscale as needed.

Customer support or technical support through a ticket or email has not been contacted personally. The DevOps team, which handles maintenance updates, has contacted support when running into an issue, which may occur once a year if that, so nothing major has been cause for concern.

The initial deployment of Cribl was somewhat tedious due to the environment being specialized and restricted in an air-gapped setup, so everything had to be built on-premise. This made deployment more difficult when unable to reach the internet to get updates. It took some time, but this was strictly due to the restricted environment, as everything had to be placed on a hard drive, brought across, updated, and then troubleshot through that effort.

No alternatives to Cribl have been tried because there has been no need to.

Cribl requires routine updates, with no other real maintenance required. This review is rated an eight out of ten.

I use Cribl with all of my customers that I manage services for. It's how I get their third-party log sources into Microsoft Sentinel.

We save about 75% percent of our costs by processing network and firewall logs through Cribl. This is largely due to the compression and duplication that exists within those logs. They tend to be very noisy, and most of the information isn’t useful from a security standpoint. While some of the data might be valuable to other departments, we don’t need to store all that extra information. By removing these unnecessary details, we quickly reduce our data retention costs by 75%.

Cribl makes it very easy to contain data cost and complexity. As far as complexity is concerned, there might be manual ways to do it in other products, but not with the ease and durability. It remains the same, whereas you might try to put a patchwork of other things together to get the same result. In terms of controlling costs, we achieve about 75% savings on data storage, which is fantastic. However, it’s worth noting that Cribl is not free, so we do pay for it to realize these savings. As long as Cribl doesn’t increase their prices too steeply or too quickly, we should be fine in terms of managing our costs.

Cribl definitely handles high volumes of diverse data types. Anything from firewall logs, endpoint security logs, to Windows event logs can become very noisy, especially in large environments. I've not had an issue with Cribl dropping logs. Occasionally there could be a short-term outage, but that's definitely very rare.

My favorite feature is Cribl Stream. That's probably the only Cribl product I have a lot of experience with, and Cribl Stream makes it very easy to identify where all the customer's log sources are and to quickly connect them to a destination source such as Microsoft Sentinel and Microsoft Azure Data Storage.

Cribl Stream does two things: not only does it make it easy to connect one log source or one dataset to multiple storage locations, but it also has compression features, which greatly reduce the storage cost for that data. It strips out and compresses data so that only the absolute information remains and not any duplicates. Dual destination and compression are the two top features.

I would Cribl to become more Microsoft-focused. A lot of my work is in the Microsoft environment. Cribl supports all of these other platforms out there, and they seem to be developing a lot for CrowdStrike. I'd prefer to see some Microsoft-specific connectors built inside of Cribl.

I have been using Cribl for about two years now. They've only been around for about four years, so I've been using them for half of their existence.

The performance and stability of Cribl are fantastic. The uptime is 99.9%. We are realizing all of the cost savings promised, and there are no failures.

Scalability is easy because we can just go into the portal and add a new log source. If we onboard a new firewall or something we want to collect logs on, we can quickly implement that. I don't need to talk to a Cribl engineer to connect a new log source. The only requirement might be purchasing more Cribl credits if I'm running low because I'm asking it to do more than originally specified.

We've engaged their customer service and support, and anytime there's an outage, they've been very receptive. They've quickly escalated our tickets and helped us get resolution. We've never felt we were waiting for a response or that they didn't know what was going on. I think it's maybe because we were an early customer. I would assume it's the same for all customers, but we've gotten great treatment. 

I would give them a 10 out of 10 for support. They are very responsive. We deal with a lot of other cloud solution providers who have tried to save money on support. It could be that because Cribl is new and they really want to make sure all new customers are being successful, but we really hope this continues. We don't feel we're alone.

The only alternative I can compare Cribl to would be Azure Data Transformation, Azure Data Time configuration rules and policies, basically making the storage source sort the data, and that is very painful. I don't see any next-best options when it comes to Cribl. They seem to be a leader and standing alone in their service offering, specific to Cribl Stream. For other products such as Cribl Lake, there's now Microsoft Sentinel Lake, which is a competitor, and I haven't really analyzed the pricing to see how competitive that is. But regarding Cribl Stream, there's no close competitor. The closest is extremely painful, requiring about 20 pages of configuration to even get close.

It's straightforward. They have a really nice user interface, and their service engineers will guide you through the initial setup. Since they are compensated based on product usage, they ensure that we are properly onboarded and that our experience is as successful as possible.

To deploy Cribl probably took an hour. Identifying all the different log sources that we wanted to bring in took about another eight hours of human work as it was a data exercise of determining which log sources are important to us, and where we can get the best compression or data size reduction. You can connect to them all automatically, but you want to have the thought process of which ones matter and what actual data you need. 

It does not require any maintenance on my end. The big thing is just checking connector health to make sure everything is running and that logs aren't dropping and that there haven't been any changes. In case there's any outage, putting in a ticket for any outage issues is very minimal. It's set it and forget it, and then just monitor to make sure nothing's bad or nothing has gone wrong.

We're a large organization, so we have a team of about five people who worked on the deployment of Cribl. I'm sure smaller organizations could use a lot less. We probably could have gotten away with two or three people. Not to say one person couldn't do it, but it's always good to have another person putting eyes on the process just so that we don't have a single point of failure.

The pricing has been increasing year-over-year, and I understand that the cost of business continues to grow. The cost of log retention and all the aspects they're fighting against, they are also a victim of. It is a concern that I'm watching as they raise prices about 10% year-over-year. I am still observing significant cost savings, although the amount of savings is gradually decreasing. Additionally, they are currently the sole provider of this type of solution, which means they face no competitive threats.

I would rate Cribl a ten out of ten. I truly appreciate them as partners. They genuinely feel like they're with us on this journey to manage the increasing volume of data. It's been exciting to watch them grow. At first, I thought I was a bit of a nerd for being an early adopter, but seeing so many others come on board after us reassures me that we made the right decision.

We work on Splunk, so we use Cribl. Our company works with a system where approximately 12 to 15 TB of data comes daily in Splunk. We don't store the data directly into Splunk; instead, we use Cribl first. By using Cribl, it removes unnecessary data and keeps the important data, which can reduce the size.

My favorite feature is that Cribl is connected with Splunk very easily and it routes the data. The filtering is the most important feature because it removes unwanted logs, and the central control manages everything from one place. Cribl provides pipelines, which process the data step-by-step, so all the features are very useful.

It is very difficult to learn as a beginner.

I sometimes experience downtime, and by that, we sometimes miss logs, which creates a problem, but not for a long time. Sometimes we face these issues.

I have been using Cribl for four months.

I sometimes experience downtime, and by that, we sometimes miss logs, which creates a problem, but not for a long time. Sometimes we face these issues.

I have a very good experience with customer support. When we are in trouble, they give us fast responses and good responses, which is very useful for us.

The initial deployment when I first started using Cribl was not that difficult. As a beginner, I think it is a little difficult, not that much easy. However, once you start learning and become an experienced user, it is very easy. One person can handle the whole setup without needing a large team.

Cribl's interface is very good, and it is easy to understand how to use Cribl. When I started to use Cribl, it wasn't that difficult to learn. I learned how to pass the data into Cribl, so it is easy. Cribl has a good user interface, which makes work easier for me. I would rate this product a 9 out of 10.

My current use cases involve using it as a pipeline to process data, to route data from cloud logs to different repositories. Some data goes to Splunk and others go to different data lakes. I didn't work with the firewall logs directly. We use Cribl to process web activity and route data that we wanted to into Splunk ES to create detections.

What I appreciate the most about Cribl is the free training, the free access to all the training, and how easy it is to learn it. Cribl is great in handling high volumes of diverse data types, such as logs and metrics. It does the job.

The product is very good. They could add more AI-assisted pipeline development in the future release.

I have been using Cribl for six months.

I haven't seen any lagging or crashing with Cribl.

Cribl's scalability is very good.

I have never contacted the technical support or customer support of Cribl.

Positive

The initial deployment when I first started with Cribl was fairly easy, very easy.

We were a team for this job.

I have used alternatives to Cribl. I forgot the name, but it's a CrowdStrike product they just acquired that is the closest one I've used to Cribl in terms of the quality and the features. Currently, I prefer Cribl more than CrowdStrike. I still haven't played much with the other one, but I didn't find any issues with Cribl.

Regarding Cribl's ability to contain data cost and complexity, if they can reduce their cost, that will make them more competitive. However, I don't know what else they can do in regards to how the application works. It's very good.

For the project that I was involved in, it took me probably three weeks to set it up. We had to maintain our pipelines, not because of anything related to Cribl itself, but because the data source changed, so we had to adjust our pipelines. That was the kind of maintenance that we did.

I would rate Cribl a nine out of ten.