I'm a SIEM engineer and we use Splunk and other SIEM tools. Since other SIEM tools are too expensive and security teams need different data to come into their SIEM tools, Cribl helps us filter out unwanted logs coming from syslog devices and other networking devices, which saves our license. We save around 2.2 TB every day using Cribl. All our logs go to Splunk, and we have Cribl positioned between our log sources and Splunk as the main function.

We also use Cribl for filtering and sending data to different outputs. One output is Splunk, and others include Kafka topics and different source sites like Pub/Subs, HEC endpoints, Google Pub/Sub, and Amazon S3 buckets for long-term retention of certain logs.

Recently, I have not yet worked with Cribl Cloud in production, but I had an opportunity to get hands-on experience with their lab environment.

I loved the way they created their cloud and their AI capabilities are good there. Another valuable feature of Cribl on-premises is the way it helps us filter out logs. It's a very easy tool to understand for someone new to these things, and it's easy for us to explain to new recruits we hire.

Firewall logs contain a lot of entries that security teams and audit teams don't require. We use filtering and regex in Cribl to remove unwanted logs that no one requires, such as entry logs and in-and-out logs that the syslog and firewall device would send anyway. We only need the threat logs and security logs. We save around 1 to 2 TB of logs every day using Cribl.

Regarding complexity, as I mentioned before, Cribl is very simple to use. When I started 2.5 years ago, it was very easy to learn. I learned Cribl within a week, and even though I was a fresher at the time, it was easy to understand and not complex enough that someone would need to spend money on labs. It's not that complex to learn.

Regarding cost efficiency, it's very good because nowadays the SIEM tools we use are too expensive on license, and SIEM tools base their license on how many logs get ingested. The unwanted logs, particularly firewall logs, represent a significant portion of unnecessary ingestion. Cribl saves our license by filtering out half of the firewall logs that are unwanted. Our main purpose for using Cribl is to save our license and save money.

Currently, everyone is moving toward AI agents. We currently use regex, and AI agents could help us create those regex patterns to drop events or add raw data to events. Currently, we sit down, review the logs, and create regex patterns manually, which can be time-consuming. An AI agent could reduce this time. I read some articles indicating that Cribl Cloud has started using AI and considering MCPs and model context, but I'm not certain how far along they are. If Cribl asked me what they could improve, that would be my suggestion. The support is very good, and I had a few issues with Cribl where I raised support cases and received good responses, which is better than the quick response I didn't get from other SIEM tools and vendor tools I use.

Compared to other SIEM tools, Cribl is cheaper than Splunk and DataDogs. However, it's still a bit expensive from my point of view, though I won't call it expensive. Overall, I think 99% of companies use Cribl before their SIEM tools, and compared to SIEM tools, Cribl is cheaper. Companies can use any SIEM tool such as Google, Splunk, or Cisco, and Cribl is cheaper than those SIEM tools. They might have a slight chance to reduce costs further, but I'm not the correct person to evaluate that since I'm more focused on the operational side.

Regarding training, it was quite easy to grasp. It took me almost a week to understand the basic functionalities and what Cribl does. Getting more expertise took additional time, but basic functionalities and understanding what Cribl does took around four to five days. One point I want to mention is that Cribl could improve their labs or training materials in their Cribl Cloud or whatever portal they have.

I have been using Cribl personally for around 2.5 to 2.8 years. My company has been using it for a longer time, but I joined the company seven months ago, so my hands-on experience with it is around 2.5 to 2.8 years.

Regarding the metric part, I haven't worked much with it, so I can't tell much more about that. However, regarding log volume, it's very good. I have personally used Cribl with 10 to 12 TB of data per day in 24 hours, and I have not found any problem with log latency or ingestion issues, or Cribl not being able to handle this volume. I have not faced such issues on the logging side. On the metric side, I'm too new to provide an answer.

Currently, I haven't seen any instability or latency issues. We tried to boost logs from 4 to 5 TB up to 7 to 10 to 12 TB, and we didn't find any lagging or Cribl going down. We found initially negligible latency, but with the help of their support team, we figured out how to improve our latency. Till now, I haven't seen any outage or severe outage that would require a serious discussion about needing a resource to maintain Cribl. I don't recall the last time we maintained Cribl or checked how it's running. Maintenance is very rare.

Cribl scales very well. I'm not entirely certain about the license aspect since it's based on how much log volume we put in. Initially, we had around 3 to 4 TB of license ingestion, and then we increased it to 8 to 10 TB. We raised a request to increase the license and got a new license with 8 to 10 TB of logs per day ingestion capacity. We were able to scale it very quickly without much effort required. That was a doubling from four to eight or 10 TB, but I have never tried scaling beyond that, and I haven't heard people complaining that Cribl cannot scale up.

The best part about Cribl from a scalability point of view is that it doesn't require much operating system configuration. Otherwise, we need to check every time those servers get patched, and we need to verify that anything changed on the operating system doesn't affect Cribl. That's not happening with Cribl. Any small issue on the operating system end also doesn't impact Cribl. Compared to other SIEM tools I use, any slight change on the operating system end impacts a lot on our SIEM tools and other things, but Cribl performs well in that regard.

The support is very good. I raised a few Cribl support cases for issues I encountered and received good support from them. This is better than the quick response I didn't receive from other SIEM tools and vendor tools I use.

We have not used license-based tools previously. We tried using Logstash and Fluentd, which are open-source tools, but only for demo purposes. Since those are open-source tools, we cannot compare open-source tools with license-based tools. I never had a chance to work on any license or vendor tool related to Cribl before.

We check the latest version of Cribl and upgrade to the latest version or whatever version we are comfortable with if a new version is available. Overall, we don't see any regular maintenance required. We are using Cribl on our virtual machines, and one good point is that Cribl doesn't require much operating system configuration. Basic operating system configuration can run Cribl. Compared to other SIEM tools that need legitimate operating system configuration and their operating system kernel versions, Cribl is quite friendly in that regard. Simple basic operating system configuration works, and Cribl doesn't need regular maintenance where we need a resource running maintenance tasks every day.

From an engineering view, I would rate Cribl nine out of ten. I'm not certain about the license and pricing aspects, which is the one thing I consider. Overall, I enjoy working with Cribl and would give it an eight to nine rating. However, I'll give it an eight because there are always points of refinement, and nothing is perfect. My overall review rating for this product is eight out of ten.

Our main use cases for Cribl are Cribl Search, which allows us to search for logs and metrics for our cloud engineering data.

The features of Cribl that I appreciate the most are the ability for in-place searching for our logs, so we don't have to move our logs outside of our cloud, which gives us privacy and compliance requirements.

Other features that we appreciate are dashboarding, alerting, and the ability to save searches so we can rerun them again on a scheduled basis. These features benefit our company in a variety of ways; mostly, our operations team can rerun their searches on a daily basis without having to rewrite the queries, and the ability to keep the data privately in our buckets is a huge requirement for us.

Cribl's ability to contain data cost and complexity is good. The complexity is very minimal. The reason for that is that the data does not move from where it lives. So there is no cost and there is no complexity in terms of moving the data and processing the data out of where it lives currently. Everything is in place, which is huge, and it makes everything so simple.

Cribl is great at handling a variety of volume logs as it is scalable and it uses scalable infrastructure behind the scenes, which allows us to constantly add more logs and it is able to handle it nicely.

Cribl search affected our data exploration practices overall. Cribl search has affected us greatly, and it has optimized our operations teams' time and efficiency. They're able to troubleshoot and find issues for our customers in a minimal amount of time. It also allows us to go back and look, for example, three months back for specific issues. With other tools, it was taking us a lot longer.

The UI is very intuitive in the sense that it gives you the chance to write your own query and customize it. And then once you figure that out, you're able to save it and rerun it on a scheduled basis so you don't have to reconfigure the query every single time.

Cribl can be improved in some ways; one of which is the ability to search multiple regions. Currently, Cribl Search is dedicated to one bucket at a time in the case of S3 buckets. The ability to search for multiple buckets would be awesome.

We have been using Cribl for a little over a year now, and we use specifically Cribl Search.

We have not experienced any downtime or crashes with Cribl; however, we have experienced some delays with some of the Cribl Search queries when the volume of data is humongous. In some parts, due to how the data is partitioned in our cloud, we were aware of those situations. Even though we did experience them, we anticipated those delays, so that was expected.

The process of expanding usage is very smooth, and Cribl Search is very scalable since it does the searches in place where the data grows, and the infrastructure behind Cribl Search is also scalable as it uses a CPU and it just spawns horizontally more instances as it demands and requires.

I would evaluate the customer service and technical support of Cribl as superb; honestly. Every time we had an issue, we created and opened a new ticket for Cribl support, and they were very responsive. Usually, within an hour, we get a response, and we are able to work with them back and forth until we resolve the issues.

Prior to Cribl, we were able to use cloud-native specific solutions which were costly and time-consuming to pinpoint and figure out problems that can happen within a time window. It was not an easy user interface, and operations complained. Because of that, we started looking into other solutions, and that's how we stumbled upon Cribl.

The biggest return on investment when using Cribl is our time minimization for our operations team. They're able to look for customer issues real quickly, as opposed to the previous tools that we had, which were more time-consuming and also more costly. The time saved using Cribl is hours per engineer - about three hours' worth.

I did not deal with pricing directly. We had a team that dealt with Cribl.

We have looked into other solutions without naming names, and we considered major tools that are in the industry that are cloud-specific, cloud-native. What stood out was that Cribl is more cost-effective, and also, the main issue for us was we wanted to keep the data in our cloud.

We don't want to migrate it due to privacy concerns and compliance requirements. Cribl was about the only tool that actually was able to satisfy our requirements, which is mostly the reason why we chose Cribl.

I would advise someone considering Cribl to really look into Cribl products, such as we did for Cribl Search, and really examine the challenges of huge volumes of logs, as Cribl has a really nice suite of products that would satisfy these requirements. Additionally, consider the requirements of data privacy, as the data does not get moved out of your cloud.

On a scale of one to ten, I rate this solution a nine.

We started our Cribl journey at the end of 2022, but we have been evaluating Cribl since 2020. We have been using Cribl from the end of 2022 till now, and the use case that brought Cribl into the picture is a critical business application sending its transactional logs into a database which got overwhelmed due to the sheer volume of logs. We evaluated Cribl for that use case, and now it has evolved into much more than just servicing that use case in our organization, making it a three-plus-year journey into Cribl.

Cribl plays the core essential function of handling the data telemetry pipeline in our organization, enhancing the way we collect data and bring logs from different sources. The way we have deployed Cribl is to coexist with our existing toolsets, not replacing them but working alongside them to bring the data faster and easier while managing the licensing and transforming the data from various sources. The easy agentless collection is the first feature that comes to mind as one of the critical features I appreciate the most, along with its versatility to deploy Cribl Stream for agentless collection and Cribl Edge for agented collection wherever necessary.

Collecting data is where Cribl excels, as it allows us to collect data from diverse sources easily and route it to multiple destinations, all while providing the ability to transform or apply any type of redaction on the fly through an easy-to-use UI. The features mentioned, such as easy data collection from different sources, benefit us by allowing us to be agentless wherever possible. In today's IT world, with a hybrid multi-cloud environment, we can't always deploy agents to collect data, so Cribl's agentless collection mechanism helps us get data into our environment quickly.

Cribl has been instrumental in containing our data costs, especially as we use leading log aggregation and SIEM tools known for their heavy licensing costs by ingest. Placing Cribl in our data telemetry pipeline enables us to achieve streaming the same information to multiple destinations, which fast-tracks the way we conduct POCs with various tools in the realm of observability. I saved over $200,000 in licensing by enriching and transforming the data efficiently, dropping unnecessary information and only sending relevant data to our teams.

When discussing Cribl's ability to handle high volumes of diverse data, such as logs and metrics, it plays a pivotal role. It can be deployed as an agentless collector or an agented collector, giving us control over how we collect data from sources more efficiently. We can send data into an S3 or Cribl Lake, which helps control storage costs while providing better retention aligned with our organizational needs. Firewalls produce a lot of data essential for network troubleshooting and security analytics, and handling it with a third-party log aggregation vendor often incurs high licensing and storage costs. With Cribl, we offload firewall logs from our existing log aggregation tool into low-cost storage with higher retention periods, enabling us to search the data directly using Cribl's search functionalities, creating a unified view for our networking and security teams and achieving close to a 40% reduction in firewall logs.

Cribl can improve by providing automated analytics and advanced parsing capabilities since it handles data at its core. I'm particularly interested in innovations such as Cribl Guard for automated PCI and PII masking, and a more stringent role-based access control feature would enhance security and allow granular control over what users can see and access.

I've been working in this industry for over a decade now, close to a 15-year mark, as I started my career as a system administrator and slowly grew into this managerial role. I've stayed close with the current technology I've worked with since my start till now, and for over seven years, I have been in the monitoring and logging area where I have developed myself into this management role.

Cribl's scalability is impressive, playing a vital role in transforming our logging strategy with its vendor-agnostic design. We use a hybrid deployment approach and a pull mechanism for most data sources. Managing data onboarding and transition becomes easier with Cribl, allowing for efficient growth as needs increase.

Cribl's customer service and technical support exceed expectations, with a knowledgeable sales team and service executive who assist in resolving issues swiftly. Most support requests arise from our limited product knowledge rather than product issues, and the Cribl support team resolves queries typically within four hours.

The biggest return on investment with Cribl is improved handling of data and efficient routing to multiple destinations, saving costs across infrastructure and licensing. Cribl is versatile and continues to develop, allowing us to strategize and manage our observability landscape effectively.

Cribl has been excellent when it comes to pricing, setup cost, and licensing. The team navigates us through their models seamlessly and we adopt Cribl Cloud easily. Within a month's time, we're able to transfer 400 to 500 GB of data from a different logging solution, thus positioning Cribl as a core piece in our telemetry pipeline.

Deploying Cribl is straightforward; we quickly set up our Cribl Cloud tenant and defined the architecture through resident services and core architects. We manage to create a hybrid deployment model efficiently, bringing substantial savings in licensing and infrastructure costs while enhancing our data handling capabilities.

We deploy in a hybrid model, integrating worker nodes and Edge fleet in our enterprise data centers and cloud platforms near our data sources while using Cribl Cloud for management, ensuring limited access to prevent unwanted changes. In our AI journey, we are just getting started, becoming somewhat novice in this area. Cribl has enabled us to lean toward AI by integrating tools such as Copilot, which helps fast-track building pipelines and generating scripts. With Copilot, we see increased productivity, making it a key feature that enhances how we learn and utilize Cribl.

Cribl Search has significantly improved the way we handle and explore data. Initially, we onboarded all networking devices to stream data into low-cost storage, using Cribl Search to query that data, which now gives our networking, security, and operations teams a single data set to query without the need to remember multiple sets. The setup is cost-effective, and the federated method of Cribl Search allows for efficient querying without performance loss, enhancing our analytics capabilities.

Cribl's user interface is straightforward and user-friendly, allowing us to set up data collection sources quickly. It's self-explanatory, helping me navigate and visualize data without relying solely on commands. I appreciate how Cribl's UX caters to users, making tools accessible without needing extensive knowledge transfers. Based on our usage, I would rate Cribl a 10 overall.

Our main use case for Cribl is to help us reduce cost. Currently, we use the Stream and Edge products of Cribl, and it's on-premise for us. The Stream helps us with any optimization work that we have to do in terms of reduction of the data itself.

The Stream product benefits us by giving us the ability to reduce and streamline the logs flowing into our SIEM. Cribl Stream helps us optimize the data before it reaches our SIEM tools. We've performed extensive aggregation and deduplication of logs, allowing us to cut down unnecessary data before it's sent downstream. This has helped us reduce costs by controlling exactly what data gets forwarded to the SIEM.

In our case, we deal with very chatty logs, especially firewall and other network logs. Using Cribl’s aggregation and drop functions, we were able to significantly reduce the noise. We send a full copy of the raw data to S3 or another data lake, while only the reduced logs are sent to the SIEM.

Another major value we gained from Cribl was how quickly and efficiently our data pipeline became. Previously, onboarding new sources or clients was a challenge. Now, the process is semi-automated and far more streamlined compared to what we had before.

One area that could be improved is the aggregation functionality within Cribl. It's very difficult to aggregate low-volume logs because the worker processes don't share state. Since each worker process initiates separately, it becomes very challenging for aggregation to maintain a consistent state across them. As a result, aggregation becomes problematic, with different worker processes operating in different states while pulling data. A good improvement to the aggregation functionality would be if most of these events could somehow land in a central processing unit or repository, where aggregation could be applied before the data is sent downstream.

I've been using Cribl for over three years now.

I can confidently say we’re finally getting some good sleep. Before Cribl, we were constantly getting late-night calls about data flow interruptions. Migrating from those SC4S servers to Cribl worker nodes has truly been a game-changer.

In terms of scale, Cribl scales very efficiently because we do horizontal scaling. If we have a burst in data sources or an increase in data sources, all we have to do is add a new worker nodes, and usually that solves the problem.

The customer service and the technical support team at Cribl has been very helpful to us. We've had some really unique cases where sometimes they would refer us to professional services, but they would come back with solutions from someone who may have run into that similar issue and provide us with a solution without having to go through professional services. This has been very helpful.

Prior to Cribl, we were using SC4S, which had a syslog-ng engine, and we were doing a lot of manual work, especially when we had new data sources. We had to build something that didn't have a pre-built template within SC4S; it was a challenge to build out templates for it, especially with new folks joining the team sometimes who didn't have any clue about where these things were being kept. It was a huge challenge for us to build those templates for data sources that didn't have any templates at all.

We also had our heavy forwarders, which we were writing transformations and props to help us reduce data. It wasn't doing quite a very good job, and Cribl had some of these advanced functionalities such as aggregation and those drop functions, which was very easy to configure, whereas in the past with the heavy forwarders, it was very hard sometimes to even build transformations to do the same thing.

When deploying Cribl, the process went very smooth because we had a Cribl engineer on our side who helped us significantly.

In terms of pricing, we had a very good deal with Cribl. We were paying very expensive SIEM costs, and introducing Cribl into the picture was able to bring down that cost. We were able to get the setup for the whole Cribl infrastructure at little to no cost, and it definitely brought us significant value and cost savings from that direction. In terms of reduction, we were able to save almost ~40% of our total cost.

Other products that we considered throughout the process included Splunk Ingest Processor, and we did a POC on that as well. Some of the positive aspects about the Ingest Processor was that it was right at the edge of your Splunk deployment and therefore there isn't any need to deploy or reshift your infrastructure; it actually goes right into it and then feeds into your Splunk environment. In terms of the disadvantages of Splunk Ingest Processor, it has very limited functionalities compared to what we were getting from Cribl. Cribl gives us the aggregation functionality, which was a huge win for us, being able to aggregate all the events brought us huge reductions, and also the drop functionality and some really advanced functionality within the Cribl tool itself.

Based on my experience, the advice I would give to other companies considering Cribl is that your decision should be very specific to your use case but do not underestimate the amount of data you're dealing with. Data will continue to grow over time, and a tool like Cribl can significantly help reduce costs before the data is sent downstream.

Another important consideration is whether you need to send data to multiple destinations. This was a challenge for us previously, and Cribl helped simplify that process. My advice to companies is: if you're drowning in data and cost, Cribl is essential. It gives you full control over your data and makes management much easier.

As an organization, we've adopted AI heavily and integrated it into many of the tools we use today. We're actively looking to bring similar capabilities into Cribl. It's already in our pipeline, and we see strong potential in using AI to streamline how we build Packs and Pipelines. With AI integrated, we believe it could significantly reduce the time admins spend building specific pipelines for various data sources.

On a scale of one to ten, I would rate Cribl a solid nine based on what we use it for today and the value it delivers.

My main use cases for Cribl include data reduction, sampling, aggregation, and advanced routing of data to get them to the right place with speed.

It benefits our company by not having to guess at what the data's going to look like after we've made complex manipulations to the data. We can see the data in real-time and understand what the input's going to look like and also what the output's going to look.

The feature I appreciate most about Cribl is the interface and how you're able to interact with the data, see the data both live on the ingest side as well as on the side where it goes out to the destination, which is a feature that was lacking in the previous solution I was using.

Cribl does a really great job of making sure that no matter how crazy the data set is, we're able to see that data and understand it, and then perform advanced functions against the data to make sure that it is in the ready state for whatever the end place is in which we wish to send it. It really helps us because we have thousands of different types of data which we have to run through Cribl and make sure that they get to the right place in the right amount of time.

Cribl is world-class at handling large volumes and types of of data, including metrics. Currently, for my organization, we push multiple terabytes worth of data through the solution every day. And we've been able to find out that it's easily scalable, and I feel that in the future, it's able to grow as our needs for data grow. We have been able to see reductions in firewall logs. For many organizations, firewall logs are one of the largest log sources, modernization included. And so with Cribl, we can use the aggregation functions to make sure that we're pulling out key information from those logs and sending those over to our SIEM solution.

In terms of the user interface of Cribl for managing log manipulation tasks, it is a world-class solution. It's one of the main reasons which drove us to contracting and purchasing Cribl. We were tired of using plain text files to manipulate data, especially at our large volume. It really helps us be able to see and click and have an easier interface, so administrators are able to do the same things that previously engineers weren't able to do, working with flat files.

One interesting use case I was thinking about in terms of an improvement for Cribl would be if Cribl were able to do some of the search work that we do currently inside of our SIEM solution in Cribl itself. For example, examining the data as it comes across the wire, making some of those decisions for further functions that have to happen with that data so that we don't have to have that additional workload on the search side that has some delay, albeit very small.

It would be really nice to be able to see Cribl gain insights from the data as the data is in stream, in flight, on the way to wherever its final storage destination is.

I have been using Cribl for four years.

From my perspective of the stability and reliability of the solution, there have been times where certain releases have bugs inside of them that we have to work around in order to make the solution work as intended.

The support team has been very responsive when we find those issues that may occur, and oftentimes there's a patch that's released in the coming weeks for that, and there's a way for a workaround where it does not impact what we need to do.

We have 45,000 employees at our company.

In terms of the ability for Cribl to scale to meet our business needs, it has been doing very well. There is an existing architecture and a model for growth, and we've been able to use that model to grow as our needs have grown over the time that we've used the application.

I would say that in terms of customer service and technical support, Cribl is top class. No matter what time, day or night, my salesperson is available for me and my support team to answer questions, or they answer emails, no matter what time it is that we have an issue. They have been very supportive in making sure that our solution can be working as best as it can.

Prior to using Cribl, I was using another solution to address the problem of data manipulation, routing, and other functions. That solution was Splunk Enterprise props and transforms.

It can be quite painful when you have thousands upon thousands of lines of code that are required to be maintained to manipulate the data and no real way to visualize what those manipulations are doing. That was one of the main driving points that led us to searching for a solution that we needed.

In terms of my experience with deploying Cribl, I myself was not directly involved with the initial deployment of the solution.

However, I can say that in terms of the management and the upgrades and the maintenance of it, my engineers give good feedback regarding how easy it is to maintain, upgrade, and make code deployments, changes, and commits. It is working out for my needs.

From my point of view, there are two main things when it comes to the return on investment of using Cribl that I've found to be the most compelling business use cases. First of all, we're able to take the data and get the data off to multiple destinations on the fly, basically as we need to. The second thing is that data aggregation, sampling, and reduction that we're able to do of the data, lowering our overall data volume, both traversing the network as well as what's being stored inside of our final solutions.

My experience with pricing, setup cost, and licensing has been good with Cribl. The price compared to the value of the product has been found to be worthwhile and we've been able to create a business case year in and year out in terms of why we need to continue our investment in the solution.

We considered some other solutions prior to going to Cribl, such as syslog-ng. However, being that I currently work for a large enterprise, Cribl was very attractive. Cribl comes with enterprise support. That's one thing you need to be cautious of in terms of picking a solution is that if you have to go with, for example, an open-source one, and there's a critical outage, you might not have the support you need and expertise on staff to get the solution back up and running. That was a strong selling point for Cribl.

In terms of advice that I'd give to other companies considering Cribl, I'd say take a look at the business use case and at the data which you have that's flowing through it, and make sure you think about how to get the most on the other side of wherever that data is traveling to, specifically from using the Stream product.

Make sure that you have a targeted goal in terms of data reduction, then work with your support team to make sure that you have the necessary transformations of the data in place so that you can meet those goals. That way, if you do, you can more easily justify the cost and the budget that's required in order to stand up a solution such as Cribl.

On a scale of one to ten, I rate Cribl a ten due to its reliability, scalability, and comprehensive feature set that meets all our needs.

Our main use case for Cribl was primarily data reduction, as we were spending a lot of money on data ingest, and we brought Cribl on board to reduce the amount of money we were spending on that ingest.

Reduction in firewall logs was our primary use case for Cribl, as 80% of our data is Palo Alto firewall logs, and a lot of it we don't necessarily need in the SIEM tool, so we use Cribl to reduce that, keep only the stuff we want, drop the rest, and keep it out of the SIEM tool. The reduction in firewall logs keeps the unwanted data out so that when the security engineers are inside the SIEM tool, they only see the stuff they need to see.

The features of Cribl that I appreciate the most are the vendor agnosticism and the ability to send data almost anywhere you want, regardless of the data type, the format, or the destination; it's very flexible, and we've been able to integrate it with the tools that we have used in the past and are planning to use in the future.

The UI is very clean and super intuitive, making it very easy to bring data on via the sources, route the data to any number of destinations that you want, and create pipelines to transform and morph that data however you want.

Cribl is great in the sense that it can handle a large amount of volume and scales with the amount of data that you want to bring on board; if you need to bring on board more data, you just increase the amount of workers that you have.

We use Cribl to reduce data cost and complexity by both dropping fields that we don't want or parts of events that we don't want while keeping the things we do want, while also keeping all of the data, the event in its full form. We're a government agency, so we ned to keep everything. With Cribl, we can have our cake and eat it too, in a sense.

I'm an engineer, so I think about logging. Improvement could be made in the logging area, as sometimes we encounter issues in a pipeline or something, and it's not immediately obvious when you look at the logs that the pipeline is failing.

I've been using Cribl for around four years.

I would give Cribl a great rating on stability and reliability, especially if you use the built-in alerting engine that they have, as you can get alerts directly if there are any problems with the worker itself or worker processes, and the built-in monitoring page makes it super easy to monitor the health of all your worker processes.

Cribl scales great with our company as we're actually bringing on a lot more data with all the AI tools rolling out, which generate a lot of logs, and Cribl scales horizontally by just adding more workers and worker processes, allowing us to tackle that data smoothly, quickly, and efficiently.

We've had a great experience with Cribl customer service, as we have dedicated PS resources that have been super helpful when we were rolling out Cribl initially, migrating sources of data from syslog over to Cribl, routing, and parsing, with the support being A+ on both the PS side and the technical support side.

Cribl is really the only tool out there that does what it does, especially when looking at Splunk, as when Cribl first came out, Splunk wasn't able to intuitively do a lot of the things that Cribl did just out of the box with a GUI, making it super easy.

We were dabbling in data reduction, transformation using Splunk's Universal Forwarder and even the Heavy Forwarder in some instances, but it was just not as intuitive, with a lot of command line interaction and no GUI on the front end, making it harder to do, while Cribl makes it super easy.

When we deployed Cribl, we were on-prem. All of our workers are on-prem. Our leaders are on-prem. Nothing's in the cloud. The major challenges that we faced really were related to the load balancer that needs to sit in front of the workers. I would like to maybe see that rolled up into Cribl in the future. That posed a lot of challenges for us just coordinating with our infrastructure team, getting the F5 engineers involved, using F5 load balancer. That was a challenge for us. We ultimately tackled it, however.

From my point of view, the biggest return on investment is just the downstream licensing costs we save on the SIEM side; we've reduced our data by a certain amount, and it has almost paid for Cribl itself and also allowed us to chop some licensing off of the SIEM side. We've reduced our amount of ingest by about 40% overall.

I'm not really involved in the pricing and payment aspect of Cribl. I'm just the guy who implements it all once it's bought and paid for.

We're not using Cribl Search at the moment; we're only using Stream and Edge.

If you're a company out there considering Cribl, I would highly recommend at least giving it due diligence; get linked up with the sales rep, as they're going to explain everything to you, and the sales engineers are great and very knowledgeable, making it worth your time and money, so you're going to be glad you did.

I rate Cribl nine out of ten.

Our main use case for Cribl is primarily taking data from all of our different data sources, doing some processing, field extractions, normalizing the data, and then sending it along to our SIM for security incident response and investigation.

My favorite feature of Cribl is just how easy it makes working with the data; it's always been a pain point for us with other solutions, just taking our raw data from the source, transforming and manipulating it into what we need on the SIM side. That's always been a pretty heavy lift, however, Cribl has made that much easier.

The tools built into the platform allow us to work with the data, see the results in real-time, see what the output's going to look before we commit it, and has really made our job in that respect a lot easier.

The Cribl UI is very simple and easy to use, particularly when working with data from various sources; it makes it very easy to create pipelines, add complex logic to those pipelines, and then gives you a preview of what your data looks like before applying that pipeline and what you get after.

As we're bringing data in and Cribl's processing it, it makes it very easy to identify subsets of data or certain events that source data that maybe are less useful or just noisy, not really applicable to to what we need what our security team needs, and we're able to just drop those events before they get sent out and and ingested by our SIEM. So that helps keep our data pipeline streamlined, keeps our output clean. It filters out noise, and then it makes our analysis more efficient. That reduces the data volume going into our SIMs, and that reduces and limits the ingest costs associated with that end. With less data, there's less to process when you're running complex searches. So we have charges against those compute resources reduced.

There are opportunities for AI to be incorporated more tightly into Cribl to help build out those pipelines and apply some more complex logic to those transformations could be useful.

Optimizing CPU utilization on the edge side is something that could be improved; we see, particularly on older hardware and older OSes, Cribl Edge service can eat up quite a bit of CPU resources compared to some other products we've used in the past, indicating there's room for improvement.

We've been using Cribl for about one year.

We have run into a few performance issues and system crashes, mainly due to administrator error; building inefficient pipelines ended up utilizing or over-consuming CPU resources on the worker server, causing some outages. We've worked with Cribl support to resolve those issues, and it's been pretty stable recently.

As we've only been using Cribl for about a year now, I view many of those issues as part of learning the product and becoming better stewards of the system.

We've only been using Cribl for about a year, so we haven't really seen much expansion and are still in a holding pattern. However, leveraging cloud resources does provide the ability to scale; we can provision additional servers on-prem to handle more data load as we scale up and bring on more resources, so I'm confident we'll be able to meet our future demands.

When we've had issues with Cribl, the support we've received has been fantastic; they've been very responsive.

Our account team has stayed on top of the issues we've submitted, and all of the technicians we've worked with have been very knowledgeable, so we've been very happy with Cribl support overall.

On a scale of one to ten, I would give customer service a nine; I'm hesitant to say ten out of principle. There's always room for improvement.

The technicians we've been paired with on the cases we've submitted have all been knowledgeable and responsive. Our account team has been great, and when we've raised questions or concerns, they're quick to provide assistance.

Our primary driver behind implementing Cribl was the need to normalize our data with our existing SIM solution at the time; we had numerous problems making it easily searchable and analyzable. With our previous solution, we easily onboard new data sources, however, as we did that, we weren't necessarily taking the time to properly extract the fields out of that data that we needed.

Consequently, we ended up with a lot of data that was either not helpful or just not usable at all, which just consumed costs and space. Cribl addresses this by allowing us to easily create those pipelines and manipulate the data so that we could reduce the amount of information that we're ingesting that was not useful.

Overall, the deployment of Cribl was very easy. We did not really run into too many challenges at all.

We deployed a hybrid architecture, so we primarily leverage the Cribl cloud. We also have some on-premises workers who we have connected to the cloud. It's a cloud-connected, yet independent leader and has worker nodes for processing edge data from offline edge nodes. So those systems are in secure VLANs and don't have outbound internet access. We're able to stand up an on-premises infrastructure that is still cloud-connected, that's part of our overall environment, and can capture that data and send it along to our system. So overall, we really did not have any challenges standing up the infrastructure. It's been very easy to stand up and maintain.

The return on investment for Cribl is that we've seen it really pay for itself.

When we recently went through a SIM migration from Splunk to Microsoft Sentinel, we incorporated Cribl to help us reduce our ingest costs. What we've seen is really an overall reduction of just shy of 40% in our ingest into our SIM platform versus prior to having Cribl, and those ingest costs have basically canceled out the pricing of Cribl licensing for us based on the volume of data that we have.

I don't recall considering other similar solutions to Cribl. Cribl was the frontrunner on that one. We did a proof of concept early on and immediately saw how easy it was to work with the data and recognized the value it could bring, leading us to move forward with it.

I would advise other companies considering Cribl to just do it; it's worth it, as there's really little to no downside. It just makes your life easier.

On a scale of one to ten, I would rate Cribl a nine, as it brings tremendous value.

As a small security team, it really empowers us to get more useful data out of our sources, making our SOC and incident response teams more efficient and improving the overall security posture of our organization as we now have accurate, usable, easily analyzed data.

Security data is my main use case for Cribl. I ingest data using Cribl Edge and then process the data using Cribl Stream to reduce the amount of volume of the data collected for use in other platforms.

The Cribl Edge features that are easier to use or to manage help me to reduce the amount of people I need to help manage the product.

As part of Stream, reducing the amount of volume provides a financial benefit to allow us to pay less for the other products that we are using the data in down the data path or stream.

The ease of management and configuration of Cribl Edge features is highly beneficial. I have many thousands of Cribl Edge nodes deployed, and it's very easy to make configuration changes across the board or update the agent.

It can contain data cost and complexity. In terms of data complexity and cost, Cribl does a good job at providing solutions that will compress the data while retaining its usable form, or split the data in such that you can retain its original form and send a reduced form to your end destination. In terms of reducing the amount of logs with Cribl for firewall specifically, I am able to reduce the size and reformat the logs so that they are better able to be used downstream.

Cribl has influenced the data processing workflow by allowing us to be platform-agnostic, and being able to separate the data into different destinations is quite easy.

The Cribl UI in general is very intuitive in how to manage log processing and configurations. Customer service and support deserves an 8.5 rating. They are really good at what they do, and you can tell that they are passionate about their product and helping customers have success.

Cribl could be improved by some UI tweaks and some usability tweaks, mostly centered around error troubleshooting for large volumes of Edge nodes.

I have talked to the developers of the Cribl Edge software and they're very open and welcoming to the feedback and are looking to implement changes to help make the product better.

I have been using Cribl for a few months since July of 2025.

Cribl is overall a very reliable product and solution. The few times that I've had any reliability issues, they were quick to help me identify and proactive in helping me identify potential issues in the platform.

We have over 10,000 employees.

Cribl does a good job of handling large volumes of data very quickly. The Cribl Cloud that we have deployed allows for easy scaling to meet the needs of onboarding tens of thousands of Cribl Edge devices in a single day in some cases. Cribl makes scaling for Edge or Cribl Cloud data nodes very easy to add or replace Cribl worker nodes and allows you to, with one click, reconfigure Cribl Cloud workers to be able to ingest higher volumes of data.

Cribl technical support and customer service has been great so far. I really appreciate having a direct line to my Cribl SE or many different Cribl private resources via their Slack channel.

It is a really easy way to quickly get an answer on something rather than having to put in a support ticket, however, support tickets are also fairly straightforward and easy to use.

I did not use other solutions before Cribl that do the same thing as Cribl does.

My experience for deploying Cribl was pretty easy. We have Cribl Cloud, and they make that a very simple solution to stand up. And for the on-prem resources that we have for Cribl workers, those were also easy to stand up and get connected to the cloud. So, overall, it's very easy to deploy the platform and to get it to configure.

The biggest return on investment is probably the log reduction capabilities while retaining the essential information from the logs. In some cases, greater than 80% reduction is achievable. Across thousands of endpoints, it really adds up quickly.

The pricing for Cribl was fairly straightforward. They have a universal license that allows us to consume the portions of Cribl that we want to use or flex into other portions of Cribl. We primarily use Cribl Edge and Cribl Stream at this point, but we could also use the same license for Cribl Lake or Cribl Search.

I did not consider other solutions in my company before choosing Cribl.

I've worked in information security for over ten years.

With any SaaS solution, it's sometimes a difficult decision to decide to do on-premises versus a SaaS solution for on-cloud. I would recommend Cribl on Cloud for its ease of use and manageability. The managed updates are very nice and they have a proactive services team that helps monitor the infrastructure.

Overall, I would rate Cribl nine out of ten. While there are some shortcomings, the direct feedback loop they give to customers makes it a really good product overall.

My current use cases involve using it as a pipeline to process data, to route data from cloud logs to different repositories. Some data goes to Splunk and others go to different data lakes. I didn't work with the firewall logs directly. We use Cribl to process web activity and route data that we wanted to into Splunk ES to create detections.

What I appreciate the most about Cribl is the free training, the free access to all the training, and how easy it is to learn it. Cribl is great in handling high volumes of diverse data types, such as logs and metrics. It does the job.

The product is very good. They could add more AI-assisted pipeline development in the future release.

I have been using Cribl for six months.

I haven't seen any lagging or crashing with Cribl.

Cribl's scalability is very good.

I have never contacted the technical support or customer support of Cribl.

The initial deployment when I first started with Cribl was fairly easy, very easy.

We were a team for this job.

I have used alternatives to Cribl. I forgot the name, but it's a CrowdStrike product they just acquired that is the closest one I've used to Cribl in terms of the quality and the features. Currently, I prefer Cribl more than CrowdStrike. I still haven't played much with the other one, but I didn't find any issues with Cribl.

Regarding Cribl's ability to contain data cost and complexity, if they can reduce their cost, that will make them more competitive. However, I don't know what else they can do in regards to how the application works. It's very good.

For the project that I was involved in, it took me probably three weeks to set it up. We had to maintain our pipelines, not because of anything related to Cribl itself, but because the data source changed, so we had to adjust our pipelines. That was the kind of maintenance that we did.

I would rate Cribl a nine out of ten.

Our use case for Cribl is actually a data pipeline where we collect logs from the source and we stream it through Cribl and then to a destination. The destination is mainly the SIEM tools such as CrowdStrike or SecOps. We collect the logs from various sources, and even the Windows logs are streamed through Cribl worker nodes and data lakes. For example, if it is AWS, from the S3 bucket we stream to Cribl and then send it to Google SecOps, which is the primary SIEM we are using.

The best feature in Cribl, when getting logs from some custom application, is the ability to break up logs that pile up together and come as one event.

Cribl has a feature called JSON Unroll or Unroll function that allows you to differentiate the events; each event will come ingested as a single log instead of piling it up with multiple events. This is critical as this generally happens in CrowdStrike. This feature helps us significantly.

When the ingestion is high from unwanted logs, logs not related to security purposes can be dropped by writing the parser function. By dropping events that are not required for security purpose monitoring, we can reduce the ingestion, which drastically reduces the cost as well. Cribl gives another option where I can store some logs, and when needed, I can pick them up from there.

The interface is very handy and not very complicated, yet there are many functions you can perform. You can play around with numerous functions, parse there, and add UDMs to SecOps, which makes it really easy.

To simplify the pipeline, when we go to the pipelines, there are vast options. We can make it specific requirements based on the customers. I would prefer a customized or simplified version. Cribl is a very good platform to work with, with lots of features that other platforms don't provide.

Cribl is a stable product, however, there are areas for improvement. Their documentation should be updated.

I have been using Cribl for a year and a half.

Cribl is a stable product, but there are areas for improvement. Since Cribl is on-premises, server maintenance is required, and we have an IT team specifically to look into that. We are not worried about that.

There is a similar platform by Google called BindPlane, which is not capable of handling high volumes of data as the data gets stuck in the pipeline, causing ingestion delays.

However, Cribl does not present that problem. Since I have worked with both data pipeline tools, I can compare and say that Cribl is more mature than others.

I have not reached out to Cribl support. That said, my colleagues have.

I'm using another product called BindPlane, which does almost the same things; however, Cribl is a very mature product with many functions. You can use the Eval function, Unroll function, break events, add any particular field you want, or parse in Cribl before sending to a destination.

The initial setup involves dropping some events that are not required for security purpose monitoring. This is based on suggestions from our SOC team or customers.

The deployment itself is a bit compicated and the documentation is not very clear.

We are a partner with Cribl. We have CrowdStrike, and CrowdStrike has partnered with Cribl; they even changed the name to CrowdStream.

It has saved my cost and our customers' cost drastically since I cannot drop the logs directly in SIEM. In Cribl, I can drop the logs, and when I'm not ingesting them, their licensing cost is drastically reduced.

Cribl Search is quite handy; you can use regex where there's a function that contains, and you can search for a specific keyword, which shows everything that matches that keyword. After playing around a couple of times, it becomes easy. At first, it is complicated; you need to go to worker groups, select the data lake, select the worker node. Once you get used to it, it's quite handy. I would definitely recommend Cribl to other users.

Based on my experience, I would rate Cribl eight out of ten.