Sold by: Cribl
Deployed on AWS
Free Trial
Vendor Insights
Quick Launch
Cribl.Cloud gives control over IT and security data without the hassle of running infrastructure.
4.3
Overview
Cribl.Cloud is the easiest way to try Cribl products in the cloud through a unified platform. Cribls suite of products gives flexibility and control back to customers. With routing, shaping, enriching, and search functionalities that make data more manageable, you can easily clean up your data, get it where it needs to be, work more efficiently, and ultimately gain the control and confidence needed to be successful.
Cribl Cloud suite of products includes:
Stream: A highly scalable data router for data collection, reduction, enrichment, and routing of observability data.
Edge: An intelligent, scalable edge-based data collection system for logs, metrics, and application data.
Lake: Storage that does not lock data in. Cribl Lake is a turnkey data lake makes it easy and economical to store, access, replay, and analyze data no expertise needed.
Search: A search feature to perform federated search-in-place queries on any data, in any form.
Getting Started
When you purchase your Cribl.Cloud subscription directly from the AWS Marketplace, you can experience a smooth billing process that you're already familiar with, without needing to set up a separate procurement plan to use Cribl products. Track billing and usage directly in Cribl.Cloud.
Enjoy a quick and easy purchasing experience by utilizing your existing spend commitments through the AWS Enterprise Discount Program (EDP) to subscribe to Cribl.Cloud. Get flexible pricing and terms by purchasing through a private offer. Purchase the Cribl Cloud Suite of offerings at a pre-negotiated price. Contact awsmp@cribl.io or a sales representative for flexible pricing for 12/24/36-month terms.
We are available in US-West-2 (Oregon), US-East-2 (Ohio), US-East-1 (Virginia), CA-Central-1 (Canada Central), EU-West-2 (London), EU-Central-1 (Frankfurt), and AP-Southeast-2 (Sydney) with more regions coming soon! Regional pricing will apply.
To learn more about pricing and the consumption pricing philosophy, please visit: Cribl Pricing - https://cribl.io/cribl-pricing/ Cribl.Cloud Simplified with Consumption Pricing Blog - https://cribl.io/blog/cribl-cloud-consumption-pricing/
Highlights
- Fast and easy onboarding - With zero-touch deployment, you can quickly start using Cribl products without the hassle, burden, and cost of managing infrastructure.
- Instant scalability - The cloud provides flexibility to easily scale up or down to meet changing business needs and dynamic data demands.
- Trusted security - Cribl knows how important protecting data is, and built all Cribl products and services from the ground up with security as the top priority. Cribl.Cloud is SOC 2 compliant, ensuring all your data is protected and secure. Cribl.Cloud is currently In Process for FedRAMP IL4.
Details
Sold by
Categories
Delivery method
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Skip the manual risk assessment. Get verified and regularly updated security info on this product with Vendor Insights.
Security credentials achieved
(2)
ISO27001
FedRAMP
Buyer guide
Gain valuable insights from real users who purchased this product, powered by PeerSpot.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Quick Launch
Leverage AWS CloudFormation templates to reduce the time and resources required to configure, deploy, and launch your software.
Pricing
Free trial
Try this product free according to the free trial terms set by the vendor.
Pricing is based on the duration and terms of your contract with the vendor, and additional usage. You pay upfront or in installments according to your contract terms with the vendor. This entitles you to a specified quantity of use for the contract duration. Usage-based pricing is in effect for overages or additional usage not covered in the contract. These charges are applied on top of the contract price. If you choose not to renew or replace your contract before the contract end date, access to your entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/12 months |
|---|---|---|
Cribl.Cloud Free | Cribl.Cloud Suite Free Tier | $0.00 |
Cribl.Cloud Enterprise | Cribl.Cloud Suite Enterprise with 1TB Daily ingestion | $142,800.00 |
Dimension | Cost/unit |
|---|---|
Overage Fees | $0.01 |
Vendor refund policy
Cribl will refund prior payments attributable to the unused remainder of your purchase.
Custom pricing options
Request a private offer to receive a custom quote.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Additional details
Usage instructions
Cribl Cloud Trust IAM Role CloudFormation Template
This CloudFormation template creates an IAM role that allows Cribl Cloud to access specific AWS resources in your account. The role is designed to provide Cribl Cloud with the necessary permissions to interact with S3 buckets and SQS queues.
Template Overview
The template does the following:
- Creates an IAM role named CriblTrustCloud
- Configures a trust relationship with Cribl Cloud's AWS account
- Attaches a policy that grants access to S3 and SQS resources
- Outputs the role name, ARN, and an external ID for authentication
Parameters
- CriblCloudAccountID: The AWS account ID of Cribl Cloud (default: '012345678910')
IAM Role Details
Trust Relationship
The role trusts two specific roles in the Cribl Cloud account:
- arn:aws:iam::{CriblCloudAccountID}:role/search-exec-main
- arn:aws:iam::{CriblCloudAccountID}:role/main-default
These roles can assume the CriblTrustCloud role using the sts:AssumeRole, sts:TagSession, and sts:SetSourceIdentity actions.
Permissions
The role has a policy named CriblCloudS3SQSPolicy that grants the following permissions:
- S3 access:
- List buckets
- Get and put objects
- Get bucket location
- SQS access:
- Receive and delete messages
- Change message visibility
- Get queue attributes and URL
These permissions apply to all S3 buckets and SQS queues in the account.
Security Feature
The template includes a security feature that requires an external ID for authentication. This external ID is derived from the CloudFormation stack ID, providing an additional layer of security when assuming the role.
Outputs
The template provides three outputs:
- RoleName: The name of the created IAM role
- RoleArn: The ARN of the created role
- ExternalId: The external ID required for authentication when assuming the role
Usage
To use this template:
- Deploy it in your AWS account using CloudFormation
- Provide the resulting role ARN and external ID to Cribl Cloud
- Cribl Cloud can then assume this role to access your S3 and SQS resources
Remember to review and adjust the permissions as necessary to align with your security requirements and the specific needs of your Cribl Cloud integration1 2 3 .
<div style="text-align: center">⁂</div>Enable CloudTrail and VPC Flow Logging for Cribl Cloud
This document explains the resources that will be created when deploying the provided CloudFormation template. The template is designed to create an IAM role that trusts Cribl Cloud and sets up CloudTrail and VPC Flow logging to an S3 bucket.
Template Overview
The template automates the creation of AWS resources to enable centralized logging, specifically focusing on CloudTrail logs and VPC Flow Logs. It creates S3 buckets for storing these logs, SQS queues for triggering processes upon log arrival, and an IAM role to allow Cribl Cloud to access these logs.
Resources Created
Here's a breakdown of the resources defined in the CloudFormation template:
-
CriblCTQueue (AWS::SQS::Queue): Creates an SQS queue named according to the CTSQS parameter (default: cribl-cloudtrail-sqs). This queue will be used to trigger actions when new CloudTrail logs are written to the S3 bucket.
- Properties:
- QueueName: !Ref CTSQS - Sets the queue name to the value of the CTSQS parameter.
- Properties:
-
CriblCTQueuePolicy (AWS::SQS::QueuePolicy): Defines the policy for the CriblCTQueue, allowing s3.amazonaws.com to send messages to the queue. The policy includes a condition that the source account must match the AWS account ID in which the stack is deployed. This ensures only S3 events from the current AWS account can trigger the queue.
- Properties:
- PolicyDocument:
- Statement:
- Effect: Allow - Allows actions specified in the policy.
- Principal: Service: s3.amazonaws.com - Specifies the service that can perform the actions.
- Action: SQS:SendMessage - Allows sending messages to the queue.
- Resource: !GetAtt CriblCTQueue.Arn - The ARN of the SQS queue.
- Condition:
- StringEquals: 'aws:SourceAccount': !Ref AWS::AccountId - Restricts the source account to the account where the stack is deployed.
- Statement:
- Queues: !Ref CTSQS - Associates the policy with the SQS queue.
- PolicyDocument:
- Properties:
-
TrailBucket (AWS::S3::Bucket): Creates an S3 bucket used to store CloudTrail logs. The bucket is configured with a NotificationConfiguration that sends an event to the CriblCTQueue when a new object is created (specifically, a PUT operation). This will trigger processing when new CloudTrail logs are available.
- Properties:
- NotificationConfiguration:
- QueueConfigurations:
- Event: s3:ObjectCreated:Put - Specifies that the notification should be triggered when an object is created using a PUT operation.
- Queue: !GetAtt CriblCTQueue.Arn - The ARN of the SQS queue to send the notification to.
- QueueConfigurations:
- NotificationConfiguration:
- DependsOn: CriblCTQueuePolicy - Ensures that the queue policy is created before the bucket.
- Properties:
-
TrailBucketPolicy (AWS::S3::BucketPolicy): Defines the policy for the TrailBucket. This policy grants permissions to:
-
delivery.logs.amazonaws.com: Allows the AWS Logs service to write objects to the bucket, ensuring proper log delivery. It requires bucket-owner-full-control ACL.
-
cloudtrail.amazonaws.com: Allows CloudTrail to get the bucket ACL and put objects into the bucket. It also requires bucket-owner-full-control ACL.
-
A Deny statement that enforces the use of SSL for all requests to the bucket, enhancing security.
-
Properties:
- Bucket: !Ref TrailBucket - The name of the S3 bucket.
- PolicyDocument:
- Version: 2012-10-17 - The version of the policy document.
- Statement:
- Sid: AWSLogDeliveryWrite
- Effect: Allow - Allows the action specified.
- Principal: Service: delivery.logs.amazonaws.com - The AWS Logs service principal.
- Action: s3:PutObject - Allows putting objects into the bucket.
- Resource: !Sub '${TrailBucket.Arn}/AWSLogs/' - The S3 bucket and prefix to allow the action on.
- Condition: StringEquals: 's3:x-amz-acl': bucket-owner-full-control - Requires the bucket-owner-full-control ACL.
- Sid: AWSCloudTrailAclCheck
- Effect: Allow
- Principal: Service: cloudtrail.amazonaws.com
- Action: s3:GetBucketAcl
- Resource: !Sub '${TrailBucket.Arn}'
- Sid: AWSCloudTrailWrite
- Effect: Allow
- Principal: Service: cloudtrail.amazonaws.com
- Action: s3:PutObject
- Resource: !Sub '${TrailBucket.Arn}/AWSLogs/*/*'
- Condition: StringEquals: 's3:x-amz-acl': 'bucket-owner-full-control'
- Sid: AllowSSLRequestsOnly
- Effect: Deny
- Principal: * - Applies to all principals.
- Action: s3:* - Denies all S3 actions.
- Resource:
- !GetAtt TrailBucket.Arn
- !Sub '${TrailBucket.Arn}/*'
- Condition: Bool: 'aws:SecureTransport': false - Denies requests that are not using SSL.
- Sid: AWSLogDeliveryWrite
-
-
ExternalTrail (AWS::CloudTrail::Trail): Creates a CloudTrail trail. It is configured to:
-
Store logs in the TrailBucket.
-
Include global service events.
-
Enable logging.
-
Create a multi-region trail.
-
Enable log file validation.
-
Properties:
- S3BucketName: !Ref TrailBucket - The name of the S3 bucket where the logs will be stored.
- IncludeGlobalServiceEvents: true - Includes global service events.
- IsLogging: true - Enables logging.
- IsMultiRegionTrail: true - Creates a multi-region trail.
- EnableLogFileValidation: true - Enables log file validation.
- TrailName: !Sub '${TrailBucket}-trail' - Sets the name of the trail.
-
DependsOn:
- TrailBucket
- TrailBucketPolicy
-
-
CriblVPCQueue (AWS::SQS::Queue): Creates an SQS queue named according to the VPCSQS parameter (default: cribl-vpc-sqs). This queue will be used to trigger actions when new VPC Flow Logs are written to the S3 bucket.
- Properties:
- QueueName: !Ref VPCSQS - Sets the queue name.
- Properties:
-
CriblVPCQueuePolicy (AWS::SQS::QueuePolicy): Defines the policy for the CriblVPCQueue, allowing s3.amazonaws.com to send messages to the queue. Similar to CriblCTQueuePolicy, it restricts access to events originating from the same AWS account.
- Properties:
- PolicyDocument:
- Statement:
- Effect: Allow
- Principal: Service: s3.amazonaws.com
- Action: SQS:SendMessage
- Resource: !GetAtt CriblVPCQueue.Arn
- Condition: StringEquals: 'aws:SourceAccount': !Ref "AWS::AccountId"
- Statement:
- Queues: !Ref VPCSQS
- PolicyDocument:
- Properties:
-
LogBucket (AWS::S3::Bucket): Creates an S3 bucket used to store VPC Flow Logs. The bucket is configured with a NotificationConfiguration to send an event to the CriblVPCQueue when new objects are created.
- Properties:
- NotificationConfiguration:
- QueueConfigurations:
- Event: s3:ObjectCreated:Put
- Queue: !GetAtt CriblVPCQueue.Arn
- QueueConfigurations:
- NotificationConfiguration:
- DependsOn: CriblVPCQueuePolicy
- Properties:
-
LogBucketPolicy (AWS::S3::BucketPolicy): Defines the policy for the LogBucket. This policy grants permissions to:
-
delivery.logs.amazonaws.com: Allows the AWS Logs service to write objects to the bucket. It requires bucket-owner-full-control ACL.
-
Allows delivery.logs.amazonaws.com to get the bucket ACL.
-
Enforces SSL for all requests to the bucket.
-
Properties:
- Bucket: !Ref LogBucket
- PolicyDocument:
- Version: 2012-10-17
- Statement:
- Sid: AWSLogDeliveryWrite
- Effect: Allow
- Principal: Service: delivery.logs.amazonaws.com
- Action: s3:PutObject
- Resource: !Sub '${LogBucket.Arn}/AWSLogs/${AWS::AccountId}/*'
- Condition: StringEquals: 's3:x-amz-acl': bucket-owner-full-control
- Sid: AWSLogDeliveryAclCheck
- Effect: Allow
- Principal: Service: delivery.logs.amazonaws.com
- Action: s3:GetBucketAcl
- Resource: !GetAtt LogBucket.Arn
- Sid: AllowSSLRequestsOnly
- Effect: Deny
- Principal: *
- Action: s3:*
- Resource:
- !GetAtt LogBucket.Arn
- !Sub '${LogBucket.Arn}/*'
- Condition: Bool: 'aws:SecureTransport': false
- Sid: AWSLogDeliveryWrite
-
-
FlowLog (AWS::EC2::FlowLog): Creates a VPC Flow Log that captures network traffic information for the VPC specified in the VPCId parameter. The flow logs are stored in the LogBucket. The type of traffic to log is determined by the TrafficType parameter (ALL, ACCEPT, or REJECT).
- Properties:
- LogDestination: !Sub 'arn:${AWS::Partition}:s3:::${LogBucket}' - The ARN of the S3 bucket where the flow logs will be stored.
- LogDestinationType: s3 - Specifies that the destination is an S3 bucket.
- ResourceId: !Ref VPCId - The ID of the VPC to log.
- ResourceType: VPC - Specifies that the resource is a VPC.
- TrafficType: !Ref TrafficType - The type of traffic to log (ALL, ACCEPT, REJECT).
- Properties:
-
CriblTrustCloud (AWS::IAM::Role): Creates an IAM role that allows Cribl Cloud to access AWS resources.
- Properties:
- AssumeRolePolicyDocument:
- Version: 2012-10-17
- Statement:
- Effect: Allow
- Principal:
- AWS:
- !Sub 'arn:aws:iam::${CriblCloudAccountID}:role/search-exec-main'
- !Sub 'arn:aws:iam::${CriblCloudAccountID}:role/main-default'
- AWS:
- Action:
- sts:AssumeRole
- sts:TagSession
- sts:SetSourceIdentity
- Condition:
- StringEquals: 'sts:ExternalId': !Select - 4 - !Split - '-' - !Select - 2 - !Split - '/' - !Ref 'AWS::StackId'
- Description: Role to provide access AWS resources from Cribl Cloud Trust
- Policies:
- PolicyName: SQS
- PolicyDocument:
- Version: 2012-10-17
- Statement:
- Effect: Allow
- Action:
- sqs:ReceiveMessage
- sqs:DeleteMessage
- sqs:GetQueueAttributes
- sqs:GetQueueUrl
- Resource:
- !GetAtt CriblCTQueue.Arn
- !GetAtt CriblVPCQueue.Arn
- PolicyDocument:
- PolicyName: S3EmbeddedInlinePolicy
- PolicyDocument:
- Version: 2012-10-17
- Statement:
- Effect: Allow
- Action:
- s3:ListBucket
- s3:GetObject
- s3:PutObject
- s3:GetBucketLocation
- Resource:
- !Sub ${TrailBucket.Arn}
- !Sub ${TrailBucket.Arn}/*
- !Sub ${LogBucket.Arn}
- !Sub ${LogBucket.Arn}/*
- PolicyDocument:
- PolicyName: SQS
- AssumeRolePolicyDocument:
- Properties:
Parameters
The template utilizes parameters to allow customization during deployment:
- CriblCloudAccountID: The AWS account ID of the Cribl Cloud instance. This is required for the IAM role's trust relationship.
- Description: Cribl Cloud Trust AWS Account ID. Navigate to Cribl.Cloud, go to Workspace and click on Access. Find the Trust and copy the AWS Account ID found in the trust ARN.
- Type: String
- Default: '012345678910'
- CTSQS: The name of the SQS queue for CloudTrail logs.
- Description: Name of the SQS queue for CloudTrail to trigger for S3 log retrieval.
- Type: String
- Default: cribl-cloudtrail-sqs
- TrafficType: The type of traffic to log for VPC Flow Logs (ALL, ACCEPT, REJECT).
- Description: The type of traffic to log.
- Type: String
- Default: ALL
- AllowedValues: ACCEPT, REJECT, ALL
- VPCSQS: The name of the SQS queue for VPC Flow Logs.
- Description: Name of the SQS for VPCFlow Logs.
- Type: String
- Default: cribl-vpc-sqs
- VPCId: The ID of the VPC for which to enable flow logging.
- Description: Select your VPC to enable logging
- Type: AWS::EC2::VPC::Id
Outputs
The template defines outputs that provide key information about the created resources:
- CloudTrailS3Bucket: The ARN of the S3 bucket storing CloudTrail logs.
- Description: Amazon S3 Bucket for CloudTrail Events
- Value: !GetAtt TrailBucket.Arn
- VPCFlowLogsS3Bucket: The ARN of the S3 bucket storing VPC Flow Logs.
- Description: Amazon S3 Bucket for VPC Flow Logs
- Value: !GetAtt LogBucket.Arn
- RoleName: The name of the created IAM role.
- Description: Name of created IAM Role
- Value: !Ref CriblTrustCloud
- RoleArn: The ARN of the created IAM role.
- Description: Arn of created Role
- Value: !GetAtt CriblTrustCloud.Arn
- ExternalId: The external ID used for authentication when assuming the IAM role.
- Description: External Id for authentication
- Value: !Select - 4 - !Split - '-' - !Select - 2 - !Split - '/' - !Ref 'AWS::StackId'
Deployment Considerations
- Cribl Cloud Account ID: Ensure the CriblCloudAccountID parameter is set to the correct AWS account ID for your Cribl Cloud instance. This is crucial for establishing the trust relationship.
- S3 Bucket Names: S3 bucket names must be globally unique. If the template is deployed multiple times in the same region, you may need to adjust the names of the buckets. Consider using a Stack name prefix.
- VPC ID: The VPCId parameter should be set to the ID of the VPC for which you want to enable flow logging.
- Security: Regularly review and update IAM policies to adhere to the principle of least privilege. Consider using more restrictive S3 bucket policies if necessary.
- SQS Queue Configuration: Monitor the SQS queues for backlog and adjust the processing capacity accordingly.
- CloudTrail Configuration: Confirm that CloudTrail is properly configured to deliver logs to the designated S3 bucket.
- VPC Flow Log Configuration: Verify that VPC Flow Logs are correctly capturing network traffic.
- External ID: The External ID is a critical security measure for cross-account access. Make sure it's correctly configured in both AWS and Cribl Cloud.
This detailed explanation provides a comprehensive understanding of the resources created by the CloudFormation template, enabling informed deployment and management. Remember to adapt parameters to your specific environment and security requirements.
Footnotes
Resources
Vendor resources
Support
Vendor support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
Top
10
In Log Management, Security Observability
Top
10
In Migration, Monitoring, Continuous Integration and Continuous Delivery
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Data Routing and Collection
Highly scalable data router for data collection, reduction, enrichment, and routing of observability data
Edge-Based Data Collection
Intelligent, scalable edge-based data collection system for logs, metrics, and application data
Data Lake Storage
Turnkey data lake storage that enables storing, accessing, replaying, and analyzing data without vendor lock-in
Federated Search Capability
Federated search-in-place query functionality across any data in any form
Security Compliance
SOC 2 compliance certification with FedRAMP IL4 authorization in process
Real-time Data Collection and Indexing
Collects and indexes machine-generated data from virtually any source or location in real time with automatic indexing upon data ingestion.
Complex Event Correlation
Correlates complex events spanning multiple diverse data sources using time-based correlations, transaction-based correlations, sub-searches, lookups, and joins.
Scalable Data Processing
Scales to collect and index tens of terabytes of data per day with distributed computing architecture.
High Availability Clustering
Provides clustering technology for availability and fault tolerance across distributed computing environments.
Machine Data Search and Analysis
Enables searching, analyzing, and visualization of machine data generated by IT systems and technology infrastructure across physical, virtual, and cloud environments.
Telemetry Data Platform
Ingests, analyzes, and alerts on metrics, events, logs, and traces in a unified platform
Full-Stack Observability
Visualizes and troubleshoots entire software stack in one connected experience with integrated AWS service monitoring
Anomaly Detection and Issue Correlation
Automatically detects anomalies, correlates issues, and reduces alert noise through applied intelligence
Agentless SAP Monitoring
Provides agentless monitoring for ABAP systems with support for SAP RISE, ECC, S/4HANA, BTP, CALM, Fiori, Ariba, PI/PO, BW and 175+ monitoring points
AWS Service Integration
Deep integration with AWS technology stack including Amazon EKS, AWS Lambda, AWS Kinesis, Amazon CloudWatch, and AWS Distro for OpenTelemetry
Validated by AWS Marketplace
FedRAMP
GDPR
HIPAA
ISO/IEC 27001
PCI DSS
SOC 2 Type 2
-
-
-
-
No security profile
No security profile
Standard contract
No
No
No
Customer reviews
Hardik Murdia
Telemetry routing has improved observability and simplifies incident investigation
Reviewed on Jun 03, 2026
Review from a verified AWS customer
What is our primary use case?
My current use cases for Cribl involve how the telemetry data moves. We have instrumented our observability backend related services, which we use specifically for our business logic. Basically, how it works is there is something called Autopage where we have all the details of whatever data was just coming in terms of from the adapters of AWS . There, we have Cribl deployed even when no queue queue Kubernetes cluster exists. We have these things and we're very well organized. Most of the use cases are on Kubernetes where we have better observability because Kubernetes generates a lot of traces, and manually, it is very difficult to manage all these things. Cribl plays a good amount of role to summarize everything properly provided all the information.
What is most valuable?
What I like the most about Cribl is that it extracts the spans very well. Honeycomb does the same thing, but Cribl does it a little bit better than that. We can route one stream from too many destinations with no problem. We have configured a center table easy instance, and we have also tried with the cloud solution. When we send the data in, it just gets extracted in different telemetry solutions such as signals and data doc. It provides all those enriched data with all the details. For example, we gave user ID as one of the attributes we wanted, and it mapped email on top automatically. So it becomes very easy to identify which customer has a problem during incidents and other things.
What needs improvement?
I'm not the right person to ask this because I only configured it for providing certain specific things. If I say one negative thing, the setup is a little bit trickier because observability setups are generally trickier.
For how long have I used the solution?
I have been using Cribl in my career for six and a half months.
What do I think about the stability of the solution?
Regarding stability, I don't really face any lagging or crashing, but that comes with not a lot of data being injected there. If a very high cardinal solution or high cardinal metrics goes in, there might be some issues, but I haven't faced any problem that way till now.
What do I think about the scalability of the solution?
Scalability, stability, and reliability can only be judged when you have a huge amount of data. Our current organization doesn't deal with a huge amount of data. What we have is around two hundred to three hundred GB of data that we are moving daily. Out of that, whatever telemetry we are getting from our total collector, there's something which we are directing to this, and this is providing to our other solutions out there such as Datadog and Honeycomb. Basically, we are not facing any problem as of now in terms of stability, reliability, and scalability.
How are customer service and support?
In terms of technical support, I have not had to contact them about anything. Technical solutions are shifting now. People are more identifying things on their own, and we have a lot of solutions coming, so it's very easy now.
How was the initial setup?
The initial deployment setup of Cribl was relatively easy for the first time. This comes after a certain new experience that I have. For a very new person who doesn't understand much about observability, it might be a tricky solution. When you are working with an OLTP kind of solution, versioning, pipeline, learning, and coverage are important parts. Once you have that, everything works accordingly. You just have to figure out how it will work.
I really enjoyed working with the open telemetry collectors. I have tried with some AI-related implementations. We have a vector database in the backend, and it has given us a good amount of data transformation depth, which was really good. That has given us more usage context for what we are providing to the AI model. This is a service what we had in AWS Bedrock where we were running an NLM solution. That has given us good amount of insights whether this is properly working or not. The only problem was there was no token count. For that, I have to use some different solution. For a specific integration, I would be very happy if I could get some other solution which provides me the token information also. How much token I have been consuming is not there right now in any of the auxiliary tools. I have to do it via some other aspect. No complaints with Cribl. Cribl actually has sorted out our problems, but it will probably be better.
What about the implementation team?
For the deployment of Cribl, I have done the complete deployment without anyone's help. I took some documentation that they have and used it for certain structural things. For our department's sake, I deploy our changes directly without any problem.
What was our ROI?
I have seen a decrease in firewall logs with Cribl. Sampling is enabled and definitely that is something which I have actually seen a good amount of reduction in. The logs are really high, so what we had previously because a lot of those kinds of things happen on the valve, followed by a lot of things that happen on our product. Because of that, the logs get filled up very fast, and we store all those logs in history. When I compared the situation after Cribl and when we actually validated whether the amount of logs in the history compared to what they were before, the growth results significantly decreased. I don't have a number in mind right now, but I have documented it somewhere.
What's my experience with pricing, setup cost, and licensing?
Regarding the pricing of Cribl, I'm not the right person to talk about pricing because all these things are taken care of by our VP of engineering. I suggested them to ship also, and then we are on a pilot with them. We have not paid any money to them yet. With respect to this current Cribl implementation, I am not hundred percent sure what we have actually done. I can answer the technical aspect of it, but the financial part is something that's out of my scope right now.
Which other solutions did I evaluate?
When it comes to using any similar solutions to Cribl, there are not really alternatives. We have used Chip, if you have heard of it. But the use cases are a little bit different. Chip is something which provides more enhanced metrics on top of existing metrics of what we have. So we don't have to look at ten different metrics, and we can use this. They have run a pilot with us a while back, but they are focused mainly on Kubernetes clusters, whereas our solution is more tied to the instances and other things. These are not a cluster mode running. In our case, it has given us significant value.
What other advice do I have?
Regarding Cribl's ability to handle high volumes of diverse data types, for logs, it is something we have used. We have used it specifically, and I'm not saying I know how to use it completely, but not that much, to be honest. It's okay what we have done.
In my experience with Cribl's new search in place technology, Cribl search, I find the user interface when managing log processing tasks to be decent. I don't have any complaints.
I would give Cribl an overall rating of eight out of ten.
Hiten Nandasana
Data optimization has reduced log volume and now simplifies monitoring and multi-year retention
Reviewed on May 26, 2026
Review provided by PeerSpot
What is our primary use case?
We started using Cribl one year ago for data optimization.
Currently, we are using Cribl for its one terabyte ingestion that is free, which is one significant advantage. We are using it for that purpose only at this time. We are a customer and we are planning to purchase it, with almost a deal in progress. This month or next month, we will be purchasing Cribl.
Currently, we are not using metrics; we are using Cribl only for event-type logs. We do not have much data for metrics, so we are directly flowing that to Splunk. For logs, we are using Cribl, and there is also monitoring available, which is very good. Cribl's monitoring dashboard has a lot of graphs by default, so we can use that to populate our searches and run them, which is helpful.
We are using Cribl Stream for our streaming purposes and not using Edge due to our existing Splunk agent deployment. We occasionally use Cribl Search to investigate, especially during the deployment phase, which allows us to search some internal Cribl logs. We use Cribl Lake to store the internal data.
We utilize Cribl Search only for internal purposes. For example, when we experience back pressure issues, we search that particular source in Cribl Search to check their source logs, how back pressure was created, when it occurred, and what errors arose. We only keep internal logs in Cribl Lake, enabling us to search them. Cribl Stream 's monitoring dashboard shows everything, including when there is a spike, the KVP data, and all related information.
What is most valuable?
Cribl's best feature is that the UI is very simplified, so if a new person is there, they can easily understand everything. The UI is very simple and good. Other than this, data flow and data visibility are among the best features. We can directly see how our data is going from where to where and with the live data, live logs, everything we are able to see.
I find that it is very easy to describe my experience with the user interface when managing log processing tasks. It is very easy to manage all the data and all the data flows. Everything in the UI is very easy. Also, there are a lot of sources, a variety of sources, a variety of destinations available, many ports, data, and many scripts. Everything we think of is available in Cribl, so from wherever we think we can get the data and wherever we want to put it, we can put that as well.
For firewall logs, there is a default parser available in Cribl, so we are using that parser. In addition, there are many default parsers for various firewalls such as Palo Alto and Fortinet. This is very helpful to us as it will extract all the data, and we can remove the fields that are not required, which is reducing a lot. This is one reason we are purchasing Cribl for Splunk.
Cribl brings two main improvements to our organization. The first improvement is cost saving, as we can save a lot of cost by reducing the data. The second important improvement is the data quality, which is also one of the most critical aspects because it filters the data and makes it whatever we want to see. Cribl helps us manage our data quality very well. Since we are in the beginning phase of using it for one year, I believe this product will help a lot as time goes on.
What needs improvement?
One improvement Cribl could work on is Cribl's Git integration. If I want to integrate my private repository, I can do this, but there is a specific format required in Git . If I commit something to Git, Cribl won't pull it automatically. We can upload from Git to Cribl, but not the other way around, so that is an area that needs to be addressed.
For how long have I used the solution?
We started using Cribl one year ago for data optimization.
What do I think about the stability of the solution?
Stability-wise, Cribl is a very stable platform with no issues.
What do I think about the scalability of the solution?
In terms of scalability, Cribl is indeed scalable. We just need to increase the license. Currently, we pass 600 to 700 gigabytes of data through Cribl, and we plan to increase more, up to two terabytes. For that, we will need to purchase an additional license, but as time goes on, we just need to increase our license.
How are customer service and support?
I rate the technical support as a nine out of ten.
Which solution did I use previously and why did I switch?
There are other vendors such as Splunk, which includes its default solutions such as Splunk Edge Processor or Splunk Ingest Processor. I have heard about them, but they tend to be very technical, requiring a lot of queries. While there is a UI available, you cannot see the data flow properly. It becomes very difficult to manage your data on other platforms. In contrast, Cribl simplifies everything, with default systems and routes that allow your data to go through a pipeline to its destination. There is a straightforward flow where you check live data, can test your pipeline, and it is all very simplified compared to other platforms, which often require excessive queries to resolve issues. Fixing problems in Cribl takes thirty minutes instead of wasting a whole day in other products.
How was the initial setup?
Cribl's deployment is very easy and straightforward, similar to Splunk. If you know how to install Splunk, then it is a copy-paste process. It is not complex for us since we also deploy Splunk on-premises.
What other advice do I have?
For now, we are just an end-user.
Currently, we are using Cribl on-premises, and I think we have not explored it much. However, I can say that everything is good; I do not find anything needing improvement since I do not have a deep dive into this product.
Maintaining Cribl is easy; we do not see any downtime or major issues at all. Sometimes we experience back pressure issues due to source spikes, but they are acceptable as they come from the source and not from Cribl's end. Cribl effectively manages these situations, addressing spikes from sources and destinations.
As of now, we maintain five years of data, and we have not changed that. However, we plan to increase retention from five years to seven years with Cribl since we now have less data. Currently, we have 100 terabytes of data, and eventually, we aim for 700 gigabytes, which is significantly less.
I will surely recommend Cribl to everyone who has data exceeding one terabyte because it helps a lot for such customers. They can send data to multiple destinations and stream solutions, significantly enhancing data quality and reduction. Thus, purchasing Cribl is essential for them.
I give Cribl an overall rating of nine because I am not well-acquainted with Cribl Edge . I have just heard about the in-place search feature, but I have not explored that area, so I cannot comment on it. I am familiar with Cribl Stream, Lake, and Search, which is why I give it a nine instead of a ten.
AmanThakkar
Data optimization has reduced logging costs and provides clear, efficient pipelines
Reviewed on May 25, 2026
Review provided by PeerSpot
What is our primary use case?
How has it helped my organization?
Cribl has impacted our organization very positively. Our management team was previously very concerned about costs. If we were using the traditional method, we would be giving every log to Splunk, and it became very messy and tough to handle. Because of Cribl, we have experienced very high impact in cost efficiency, data clarity, and data optimization. It has been a very big impact.
What is most valuable?
The best feature is data cleaning and data optimization, which has reduced our costs significantly. Cost optimization can be counted as one of the valuable features.
My experience with the UI is very decent compared to others, and it is very good.
Cribl handles fire logs very well because we are getting logs from many of our applications. We collect the data from APIs and everything, and it works very well with fire logs.
Cribl has handled our needs very easily and very stably. We have depended on it, and it works very well. Data costs have become very low, making it more reliable in terms of cost efficiency.
What needs improvement?
The main improvement is to provide a very clear and comprehensive user manual.
Another main improvement I would like to see is if we could get an advanced monitoring system or advanced monitoring capability, we could use Cribl in a very advanced way.
For how long have I used the solution?
We have been using Cribl for mainly around ten months.
What do I think about the stability of the solution?
Cribl is very stable. Once the pipeline is configured properly, it runs consistently, even with high volume. We have not faced any major issues.
What do I think about the scalability of the solution?
From my experience, Cribl is quite scalable and very scalable. We are using it with very high volume, and it is very scalable.
How are customer service and support?
Cribl's customer service is good. We have tried contacting them one or two or three times, and it has been good.
Which solution did I use previously and why did I switch?
We are using Splunk currently, but we were giving logs directly to Splunk without any clarity, without any cleaning, and without any optimization. We were giving everything to Splunk, and because of this, it became very messy. We had to make a call to Splunk's help section for assistance. Now that we are using Cribl, it is very good, and we do not have to rely on Splunk's support to help us.
How was the initial setup?
Cribl's initial setup is quite complex. That is why I am recommending that they provide a very comprehensive user manual.
What about the implementation team?
We integrated Cribl by ourselves.
What was our ROI?
Cribl is reliable, and while the ROI is not as significant as other metrics, we have already exceeded it because the costs are very low.
What's my experience with pricing, setup cost, and licensing?
The costing part is not something I directly handle, but from what I know, the setup cost is very low.
Which other solutions did I evaluate?
We have not checked any other options because this option has matched our requirements.
What other advice do I have?
I would like to recommend providing a very clear and comprehensive user manual so that any newcomer or new customer can understand it very easily. Our review rating for Cribl is nine.
Dhyey Padalia
Streamlined log processing has reduced storage costs and improves real-time data routing
Reviewed on May 12, 2026
Review provided by PeerSpot
What is our primary use case?
What is most valuable?
Cribl features integration support since it works with 50 plus sources and destinations, data routing and flexibility allowing me to easily route telemetry to multiple destinations such as SIEM , data lake, and cheap object storage, and data processing and reduction because it filters out unwanted fields, removes redundant data, and restructures logs before reaching systems, which is helpful in saving cost and improving performance.
We have observed a 30 to 40% reduction in log volume hitting the firewall.
Cribl Stream handles a high volume of data very efficiently as it is designed to process log metrics and data from multiple sources in real time without major performance impact. We tested Cribl Stream with different types of machine data and even with large ingestion volumes, and the platform remains stable because of its distributed and horizontally scalable architecture.
I can assess Cribl's ability to handle high volumes of different data types, as it can handle multiple formats because it supports structured and unstructured data formats such as JSON, CSV, XML, and plain text logs. It processes and transforms data in real time with low latency. In our PLM environment, we had logs coming from multiple enterprise systems and services, and Cribl helped normalize and route those diverse logs efficiently before forwarding them to Splunk.
What needs improvement?
My experience with the user interface when managing log processing tasks is quite complex for new beginners, and there is also a documentation gap that leads new beginners to take a while to get fluency over the software.
Areas that have room for improvement include the complex UI for beginners and the documentation gap. One challenge initially was configuring pipelines and understanding parsing rules because of this gap, and I think there should be more plug-and-play integration examples for common enterprise tools.
For how long have I used the solution?
I have been using Cribl for 13 to 14 months.
What do I think about the stability of the solution?
Cribl is a stable solution, and overall, I give it a 10.
What do I think about the scalability of the solution?
Cribl's architecture is quite scalable because it horizontally scales whenever required, so I give it a nine for scalability.
How are customer service and support?
I would rate the technical support as nine out of ten.
Which solution did I use previously and why did I switch?
This is my first time using this type of solution, and I have not used any other alternative or competitor solution, so I am not aware of other options.
What about the implementation team?
My team members mentioned that it was not difficult to deploy it; it was handled by two of our IT team members.
What's my experience with pricing, setup cost, and licensing?
I find the pricing of Cribl to be cost-efficient because it has helped us save costs for data storage by removing unwanted logs.
What other advice do I have?
I am aware of Cribl Search and its new search in-place technology, but I have not used it.
I am pretty new to Cribl and have only used Cribl Stream, but I am looking forward to exploring other products such as Edge, Search, and Lake.
I would highly recommend Cribl because it has been very helpful in cost optimization. I give this review an overall rating of 9.
R Nandasana
Data pipelines have reduced log volume and now simplify routing observability data everywhere
Reviewed on May 01, 2026
Review from a verified AWS customer
What is our primary use case?
Cribl is primarily used to reduce data volume. When large datasets arrive, such as 1 TB of data, it can be reduced by 600 GB or 400 GB while maintaining the same information. Additionally, Cribl is used to send the same data to multiple destinations. The same data can be copied and sent to different products such as Splunk and Dynatrace .
For firewall logs, there are many default parsing templates and pipelines available. Firewall logs can be easily converted using parser functions. Default parsers are available for all log types, such as Palo Alto traffic, access logs, audit logs, and Linux logs. When a parser function is chosen for Palo Alto traffic, it automatically extracts all fields from the firewall logs.
A specific use case implemented involves firewall logs, which are substantial in size. Statistics are performed on the firewall logs and sent every five minutes. The logs are summarized by state count, and during that five-minute interval, the logs are aggregated and sent to other locations such as Dynatrace and Splunk. This significantly reduces data size and saves considerable space and licensing costs in Splunk.
Cribl provides substantial help with sending data to different destinations. With three products in use—Splunk, Dynatrace, and DataDog—Cribl sends dual feeds to multiple products. For instance, firewall logs are needed by both Splunk and DataDog. Additionally, some observability logs are directed to Dynatrace while remaining logs are sent to Splunk. Cribl effectively splits data across the various products in use.
Cribl is recommended for organizations with more than 1 TB or 2 TB of data ingestion. For smaller data volumes of less than 1 TB, Splunk licensing alone is sufficient, and parsing can be done at the Splunk level. With 14 TB of data ingestion per day, Cribl provides significant benefits.
What is most valuable?
Cribl's user interface is the most valuable feature. The UI is extremely user-friendly and allows visibility into what Cribl is processing and how much time it takes. Multiple routing capabilities enable data duplication to any location.
Cribl Edge provides an agent that is very simple to install on any server. Installation requires only a one-line script that can be copied and pasted, and the connection is established immediately. The configuration part is also very good.
User management in Cribl is excellent compared to other products. There is no need to access the back-end for any task, and dependence on the back-end is eliminated. Everything is available on the UI, making it very simple to use.
Cribl Cloud has no issues with handling large data ingestion volumes. Cribl Cloud can handle any volume of data efficiently. However, before purchasing Cribl Cloud, the read and write IOPS requirements need to be discussed and agreed upon with Cribl support. If data volume increases, these parameters can be adjusted accordingly. For on-premises deployments, the server is managed internally, and with recommended workers configured, there should be no issues.
For endpoint telemetry, the agent can be deployed everywhere using scripts based on Windows, Linux, and Kubernetes . Once the edge script is obtained, it can be deployed across all endpoints to gather data.
What needs improvement?
Currently, there are no significant enhancements needed as Cribl is a reliable product.
One improvement opportunity exists with Git integration. Git is attached to Cribl, and while users can push changes from Cribl to the Git repository, pulling changes from Git back into Cribl is not automated. When changes are made directly in the Git repository, they must be manually pulled into Cribl. For example, if a source is created in Cribl, it can be pushed to the Git repository, but modifications made directly in the Git repository must be manually pulled back into Cribl. Automating this pull functionality would be a valuable enhancement.
For how long have I used the solution?
Cribl has been used for the last six or seven years.
What do I think about the stability of the solution?
No stability issues have been encountered. Occasionally, back-pressure issues occur, but these are not caused by Cribl. Sometimes the source experiences issues, or destinations such as Dynatrace do not accept the data due to API hit limits when sending data via HTTP. During these times, back-pressure occurs, and when back-pressure takes a long time, the parsing queue can become full.
What do I think about the scalability of the solution?
For scalability, the leader is configured for high availability with a standby leader. Standby workers are also maintained. Currently, there are 16 workers in total with six additional workers kept as standby. If a worker fails, Cribl can be started on these standby workers to maintain operations.
How are customer service and support?
Customer service is not required as the product is managed internally. Three or four people manage the product exclusively. Technical service support is not utilized because the team consists of certified Cribl engineers who have comprehensive knowledge of the product.
How was the initial setup?
Initial setup is straightforward, particularly for those familiar with Splunk. The installation is similar to Splunk—unzip the leader package and install it. The worker installation follows the same process. Installation is very simple. For cloud deployments, there are no issues as URLs are provided.
What about the implementation team?
A consultant from NetScaler , an authorized partner of Cribl, was brought in to guide the implementation. This person provided guidance, but the team completed the implementation internally. Assistance from Cribl is obtained whenever needed through this consultant.
Which other solutions did I evaluate?
Other alternatives exist, including Splunk, Enterprise Security (ES), and Itsee. Many other products are also available.
Cribl offers several advantages over alternative solutions. Managing the infrastructure, including workers and the leader, is very simple. Patching is also straightforward and requires only one click. The user interface is user-friendly.
Alternative products have many limitations that Cribl does not have. Other products may have issues with data acceptance and compatibility. Cribl accepts data over various ports, including TCP, HTTP, and UDP, as well as HEC tokens. Cribl also supports custom sources that can be added, a feature that is missing in other platforms.
What other advice do I have?
Pricing is always discussed with high-level business teams, and involvement in pricing discussions is limited. However, Cribl is very inexpensive compared to Splunk licensing, which is a significant advantage for organizations purchasing Cribl.
Upgrading is a one-click activity. The version is selected, the leader is upgraded, and then the worker is deployed with a single click to upgrade the entire infrastructure. This capability has not been seen in any other product.
Data complexity is not a concern. Although there are many fields, each field has a question mark next to it that provides a description of what needs to be entered in the checkbox or dropdown below. The UI presents all information clearly. Without prior knowledge, anyone logging into the UI and navigating through sources, destinations, and other configurations can easily understand everything.
The overall review rating for this product is 9 out of 10.