Our use case for Cribl is actually a data pipeline where we collect logs from the source and we stream it through Cribl and then to a destination. The destination is mainly the SIEM tools such as CrowdStrike or SecOps. We collect the logs from various sources, and even the Windows logs are streamed through Cribl worker nodes and data lakes. For example, if it is AWS, from the S3 bucket we stream to Cribl and then send it to Google SecOps, which is the primary SIEM we are using.

The best feature in Cribl, when getting logs from some custom application, is the ability to break up logs that pile up together and come as one event. 

Cribl has a feature called JSON Unroll or Unroll function that allows you to differentiate the events; each event will come ingested as a single log instead of piling it up with multiple events. This is critical as this generally happens in CrowdStrike. This feature helps us significantly.

When the ingestion is high from unwanted logs, logs not related to security purposes can be dropped by writing the parser function. By dropping events that are not required for security purpose monitoring, we can reduce the ingestion, which drastically reduces the cost as well. Cribl gives another option where I can store some logs, and when needed, I can pick them up from there.

The interface is very handy and not very complicated, yet there are many functions you can perform. You can play around with numerous functions, parse there, and add UDMs to SecOps, which makes it really easy.

To simplify the pipeline, when we go to the pipelines, there are vast options. We can make it specific requirements based on the customers. I would prefer a customized or simplified version. Cribl is a very good platform to work with, with lots of features that other platforms don't provide.

Cribl is a stable product, however, there are areas for improvement. Their documentation should be updated.

I have been using Cribl for a year and a half.

Cribl is a stable product, but there are areas for improvement. Since Cribl is on-premises, server maintenance is required, and we have an IT team specifically to look into that. We are not worried about that.

There is a similar platform by Google called BindPlane, which is not capable of handling high volumes of data as the data gets stuck in the pipeline, causing ingestion delays. 

However, Cribl does not present that problem. Since I have worked with both data pipeline tools, I can compare and say that Cribl is more mature than others.

I have not reached out to Cribl support. That said, my colleagues have.

Positive

I'm using another product called BindPlane, which does almost the same things; however, Cribl is a very mature product with many functions. You can use the Eval function, Unroll function, break events, add any particular field you want, or parse in Cribl before sending to a destination.

The initial setup involves dropping some events that are not required for security purpose monitoring. This is based on suggestions from our SOC team or customers.

The deployment itself is a bit compicated and the documentation is not very clear.

We are a partner with Cribl. We have CrowdStrike, and CrowdStrike has partnered with Cribl; they even changed the name to CrowdStream.

It has saved my cost and our customers' cost drastically since I cannot drop the logs directly in SIEM. In Cribl, I can drop the logs, and when I'm not ingesting them, their licensing cost is drastically reduced.

Cribl Search is quite handy; you can use regex where there's a function that contains, and you can search for a specific keyword, which shows everything that matches that keyword. After playing around a couple of times, it becomes easy. At first, it is complicated; you need to go to worker groups, select the data lake, select the worker node. Once you get used to it, it's quite handy. I would definitely recommend Cribl to other users. 

Based on my experience, I would rate Cribl eight out of ten.

Our use case for Cribl is that we want to make sure that we parse everything correctly, and it is easier for us to transfer our data in our system in a more compact way; it runs smoothly.

We're in the beginning stage of using Cribl, but the reduction in firewall logs will help significantly with processing speed. We just worked on handling high volumes of diverse data including logs, metrics, and files last week, and it ran very smoothly with quick processing.

The best feature about Cribl is how easy it is to move; the UI is very simple, everything is very neat, and everything is organized. We have been dealing with Cribl extensively recently.

Cribl is awesome. The university offers a lot of great resources, but there could be more detailed information about Cribl itself. It would be helpful to have a step-by-step guide that covers everything from the basics. Since Cribl is such a large platform with numerous features, having a clear, structured approach would make it easier for me and others to understand and utilize its capabilities.

I believe it would be beneficial to have a step-by-step guide for users on our endpoint. This would make it easier for them to understand how to use it. When I explored the endpoint, I found myself wishing for clearer instructions presented in a sequential manner. This is just a small critique based on my experience using it so far.

We started using Cribl around three months ago.

I would rate stability as a nine; nothing is perfect, but it's great. 

I would definitely give scalability a nine as in terms of what we're seeing and thinking about, it's solid.

We have around eight or nine users. Everyone is touching base with it. For now, it will stay at eight unless we expand. We are going through an expansion, so it’s possible we might increase the number of users; but for now, we’re steady at our current count. We are a medium-sized business.

Their customer support is fantastic.

Positive

We were using a manual solution previously; this transition to Cribl is our first time implementing an automated solution.

We are typically on-premises. I believe Cribl is currently focused more on the OT side because the primary customer base is more enterprise-oriented. OT relies heavily on this. However, if I'm not mistaken, we operate in an on-premises or hybrid environment; we are definitely not using the cloud.

We are still in the process of deployment, and so far, the deployment has been going fairly well and has been relatively quick for us.

We are in the transitioning stage; we're implementing everything from square one with our team, participating in daily calls to make that happen. We are experiencing some issues with data transfer and parsing errors, which is extending our SIEM transfer time.

Based on what our managers say, we have saved a significant amount of time and resources moving from a manual approach to something that's more automated.

As I visited different booths at the conference, I realized that I still prefer Cribl. Even though I haven't worked with any other platforms, I was impressed by how everything is laid out and how simple it feels to work with your system. I genuinely appreciate the user interface. I find it straightforward and well-organized, making it easy to navigate.

I also noticed that they have implemented something like a password manager, which sounded familiar. Overall, everything I saw reaffirmed my preference for Cribl. So, despite checking out various booths, I'm still committed to Cribl at the end of the day.

I would definitely recommend it. The user interface is great, and the customer support has been fantastic as well. Our experience with Cribl has been very smooth; everything runs seamlessly. There are no delays or sluggishness, which I really appreciate. I have to give it props for that; everything operates very smoothly.

I would rate Cribl a nine out of ten.

Our main use case for Cribl was SIEM migration, where we merged multiple SIEM solutions to a single SIEM solution. SIEM migration was the most major use case we were looking for. The second use case was a manageable logging solution which could have a nice interface and would be easy to manage. Data cutoff or Log Filtering was the third biggest use case we were looking for, where we were seeking data reduction to define what we need and don't need. Additionally, we performed data masking for PII i.e. payments and medical data. These were the main use cases that were all provided by Cribl.

My previous company did a significant amount of business using Cribl, particularly in servicing customers who had a perfect fit for the solution. From a consultant's perspective, I can say that we resold licenses for Cribl, delivered services related to Cribl, and also provided maintenance services. This brought a decent amount of business to our company.

Regarding the reduction in firewall logs due to Cribl, it did influence our overall data processing and workflow. For example, the AWS VPC flow logs were greatly reduced in size, which had a substantial impact on the licensing costs for destination platforms. It did help us and the customer quite a bit. Cribl's role in its reduction of firewall logs, either cloud or on-prem, was vital.

The data cost is an important aspect. Cribl is specifically designed to reduce the data costs associated with the destination platform. This is one of its core offerings.

Regarding platform usability, the Cribl interface is quite intuitive and easy to use. The navigation and seperate sections are easily accessible, making it very user-friendly. The color scheme and palette are excellent, and there’s nothing messy or unmanaged about the user interface. Overall, I personally find the user interface to be very comforting.

The features of Cribl I have found most valuable include its SIEM migration capability. It facilitates migration quite nicely. The data reduction and preprocessing capabilities make Cribl really unique. Data masking is an important one. And as Cribl Stream can be deployed on-prem, on cloud or as a hybrid model, its support for every sort of enterprise estate is highly appreciated.  

The UI interface is very good. It's user-friendly, intuitive, not complicated, and sufficient. It's not more than what it needs to be, and it's simple without being overly complicated.

They've already done many good things with the product, but perhaps they could implement a temporary SIEM solution where we could store logs and display them as a SIEM, though I think that's not the space that Cribl is actually looking into. Based on my experience, this product is brilliant and there isn't much or anything important lacking in the product.

We encountered some occasional issues with the syslog data stream, particularly when handling large data volume, and getting it to parse and field extracted correctly, but no major alarms that would halt the days operation. There were few source vendor specific challenges, but overall, I didn't notice anything major beyond that. Most of the process went smoothly. However, we did need to carry some troubleshooting to resolve the issues we faced while connecting with other platforms and few data stream miss-behaving, which wasn't a straightforward task for us. In terms of large datasets—whether they originated from network inputs, virtual machines, or cloud instances—ingesting the data into the destination was relatively easy. In summary, aside from the usual difficulties or issues that someone could face with any project, everything else went well.

I have been working with Cribl for more than four years now.

Cribl is quite stable and doesn't crash; there's no unusual behavior. If it's stable, then it's reliable. I could see the data that goes in and how it is being processed at each stage. There are no concerns when Cribl is working in production environment.

Cribl is quite scalable, as we could add worker nodes as our data grows, so it's sufficiently scalable and able to facilitate as much data as there can be.

Their technical support has been really great, and solution architects we worked with were really knowledgeable. They had extensive expertise with the product and were able to facilitate with everything we needed. The experience with Cribl technical staff has been one of the best.

Positive

For similar use cases, different companies were using different tactical solutions i.e. custom scripting. None of the solutions were strategic and well thought through. Some were using scripting, some were not utilizing anything. Some were ingesting into the SIEM and then doing all the tasks which should be done pre-ingestion. There was a lot of disorganization, and Cribl had really found the gap where they could offer their services.

I performed the entire setup of the Cribl infrastructure.

With the Cribl Stream setup, I first had to initiate the tenant. Once the tenant was provisioned, I configured IAM setup i.e SSO, RBAC etc. I onboarded the data sources and deployed the worker nodes to the appropriate locations. These locations could be various subnets, cloud virtual machines, on-premises virtual machines, or any ready-to-use Cribl cloud workers  we needed. The process depended on the company's IT infrastructure. After the worker nodes were set up, it was simply a matter of onboarding the data stream into the platform and then directing it to the destination platforms.

As for Cribl's deployment, it operates in a hybrid environment, utilizing both cloud and on-premises solutions, tailored to meet the needs of different customers.

I delivered Cribl services as a Certified Cribl Consultant to various customers. Cribl technical support was arranged whenever there was a need for it.

We have managed to save significant money and resources for multiple customers, reducing operational complexity and the cost of destination platforms but unfortunately I cannot quote specific numbers due to NDA. 

Cribl is very inexpensive, with enterprise pricing around 30 cents per GB, which is really decent. Organizations looking to ingest terabytes or petabytes of data each day find it quite an inexpensive solution. The pricing model for Cribl Stream is one of the best values that customers would be getting, and I don't think any other solution offers this much value at this price point.

Confluent was considered, but Cribl emerged as the best solution.

I would rate Cribl an eight out of ten.

I use Cribl with all of my customers that I manage services for. It's how I get their third-party log sources into Microsoft Sentinel.

We save about 75% percent of our costs by processing network and firewall logs through Cribl. This is largely due to the compression and duplication that exists within those logs. They tend to be very noisy, and most of the information isn’t useful from a security standpoint. While some of the data might be valuable to other departments, we don’t need to store all that extra information. By removing these unnecessary details, we quickly reduce our data retention costs by 75%.

Cribl makes it very easy to contain data cost and complexity. As far as complexity is concerned, there might be manual ways to do it in other products, but not with the ease and durability. It remains the same, whereas you might try to put a patchwork of other things together to get the same result. In terms of controlling costs, we achieve about 75% savings on data storage, which is fantastic. However, it’s worth noting that Cribl is not free, so we do pay for it to realize these savings. As long as Cribl doesn’t increase their prices too steeply or too quickly, we should be fine in terms of managing our costs.

Cribl definitely handles high volumes of diverse data types. Anything from firewall logs, endpoint security logs, to Windows event logs can become very noisy, especially in large environments. I've not had an issue with Cribl dropping logs. Occasionally there could be a short-term outage, but that's definitely very rare.

My favorite feature is Cribl Stream. That's probably the only Cribl product I have a lot of experience with, and Cribl Stream makes it very easy to identify where all the customer's log sources are and to quickly connect them to a destination source such as Microsoft Sentinel and Microsoft Azure Data Storage.

Cribl Stream does two things: not only does it make it easy to connect one log source or one dataset to multiple storage locations, but it also has compression features, which greatly reduce the storage cost for that data. It strips out and compresses data so that only the absolute information remains and not any duplicates. Dual destination and compression are the two top features.

I would Cribl to become more Microsoft-focused. A lot of my work is in the Microsoft environment. Cribl supports all of these other platforms out there, and they seem to be developing a lot for CrowdStrike. I'd prefer to see some Microsoft-specific connectors built inside of Cribl.

I have been using Cribl for about two years now. They've only been around for about four years, so I've been using them for half of their existence.

The performance and stability of Cribl are fantastic. The uptime is 99.9%. We are realizing all of the cost savings promised, and there are no failures.

Scalability is easy because we can just go into the portal and add a new log source. If we onboard a new firewall or something we want to collect logs on, we can quickly implement that. I don't need to talk to a Cribl engineer to connect a new log source. The only requirement might be purchasing more Cribl credits if I'm running low because I'm asking it to do more than originally specified.

We've engaged their customer service and support, and anytime there's an outage, they've been very receptive. They've quickly escalated our tickets and helped us get resolution. We've never felt we were waiting for a response or that they didn't know what was going on. I think it's maybe because we were an early customer. I would assume it's the same for all customers, but we've gotten great treatment. 

I would give them a 10 out of 10 for support. They are very responsive. We deal with a lot of other cloud solution providers who have tried to save money on support. It could be that because Cribl is new and they really want to make sure all new customers are being successful, but we really hope this continues. We don't feel we're alone.

The only alternative I can compare Cribl to would be Azure Data Transformation, Azure Data Time configuration rules and policies, basically making the storage source sort the data, and that is very painful. I don't see any next-best options when it comes to Cribl. They seem to be a leader and standing alone in their service offering, specific to Cribl Stream. For other products such as Cribl Lake, there's now Microsoft Sentinel Lake, which is a competitor, and I haven't really analyzed the pricing to see how competitive that is. But regarding Cribl Stream, there's no close competitor. The closest is extremely painful, requiring about 20 pages of configuration to even get close.

It's straightforward. They have a really nice user interface, and their service engineers will guide you through the initial setup. Since they are compensated based on product usage, they ensure that we are properly onboarded and that our experience is as successful as possible.

To deploy Cribl probably took an hour. Identifying all the different log sources that we wanted to bring in took about another eight hours of human work as it was a data exercise of determining which log sources are important to us, and where we can get the best compression or data size reduction. You can connect to them all automatically, but you want to have the thought process of which ones matter and what actual data you need. 

It does not require any maintenance on my end. The big thing is just checking connector health to make sure everything is running and that logs aren't dropping and that there haven't been any changes. In case there's any outage, putting in a ticket for any outage issues is very minimal. It's set it and forget it, and then just monitor to make sure nothing's bad or nothing has gone wrong.

We're a large organization, so we have a team of about five people who worked on the deployment of Cribl. I'm sure smaller organizations could use a lot less. We probably could have gotten away with two or three people. Not to say one person couldn't do it, but it's always good to have another person putting eyes on the process just so that we don't have a single point of failure.

The pricing has been increasing year-over-year, and I understand that the cost of business continues to grow. The cost of log retention and all the aspects they're fighting against, they are also a victim of. It is a concern that I'm watching as they raise prices about 10% year-over-year. I am still observing significant cost savings, although the amount of savings is gradually decreasing. Additionally, they are currently the sole provider of this type of solution, which means they face no competitive threats.

I would rate Cribl a ten out of ten. I truly appreciate them as partners. They genuinely feel like they're with us on this journey to manage the increasing volume of data. It's been exciting to watch them grow. At first, I thought I was a bit of a nerd for being an early adopter, but seeing so many others come on board after us reassures me that we made the right decision.

We use Cribl Stream to collect logs from multiple sources, transform and enrich them, filter out unnecessary data before sending them to SIEM. We also use Cribl to route logging to data lake.

Since we started using Cribl, it’s made a huge difference for us. We spend a lot less time building and maintaining things, so the team can focus on the security work that really matters and brings value. Plus, by filtering out all the noisy data we don’t need, we’ve been able to cut costs and make our data a lot cleaner.

One of the biggest things I love about Cribl is that you can actually see the output in real time before you push anything to production. The UI makes it super easy to work with, and honestly, it saves a ton of time. Plus, it’s way easier to collaborate—everyone’s on the same page, and you’re not guessing what the data’s gonna look like once it’s live

So since we’re handling a ton of data, I think we could really benefit from a more integrated or connected way to manage it all. Like, if there is a way to better track data lineage, metadata, those can help with knowledge transfer.

A couple of months

I haven’t ran into issue yet

I can’t really speak to scalability yet. So far I don’t have any problem with it.

The technical support is good. I'm happy with that.

Positive

We have used something similar before, which was Logstash.

Not sure

I think the pricing for Cribl is reasonable. For large usage, but I heard the calculation of those credits is a bit complicated.

We did, but Cribl just felt more mature and well-established. I think that’s the reason why we selected it.

Cribl gives us way more control and flexibility than we ever had before. We deal with massive volumes of telemetry data, and honestly, a lot of it is just noise. Cribl allow us to easily filter, transform, and route that data exactly how we want. It’s made a big difference.

For Cribl, we use only Stream, which we are using as a data pipeline in between our environment and the SIEM console. We have two SIEMs: one is a cloud SIEM and one is an on-prem SIEM. On-prem, we are using another user and entity behavior analysis tool, so we have a redirection or a copy of a log for user login and logout information. Then we have a SIEM console, and we have redirections to the SIEM through Cribl. From the environment, we have a load balancer, and from the load balancer, we have this data pipeline configured to different SIEMs, and then we have that data transferred to two different SIEMs.

Cribl's ability to handle high volumes of diverse data types is exactly the purpose that we took it for, and as far as I have seen for the last nine months, it is handling well without issues. Connectivity-wise, there is some problem, but I'm not sure whether it's from the Cribl end or the SIEM end; we are working on both ends right now, so I don't see any problems concerning that. Cribl has helped in reducing informational logs between the main entity of our SIEM and the external entity, so that actually helped.

Regarding Cribl's solution, we have limited access to Stream. I'm not sure about the other three products. We only use the Stream of Cribl. If I suggest something, it may be available on the other products. I haven't worked on those. The suggestion would be more into log information, as I'm not able to view more logs because this is a limitation that we are only using for data pipelining. If we have more visibility or if the storage structure is already there, I'm not sure; if it is there, it would be fine.

Regarding stability, lagging only happens if I exceed my data analysis stuff, but it is a limitation with Cribl as per their design. We do not use it for that purpose, but if it is improved, it would be great. For scalability, I'm not sure in my project as we are using it only for a limited purpose. Maybe, if there was an environment that required more data transfers and logs to be filtered out, it would be good, and I would suggest it.

I have been using Cribl since we deployed it during November, which is close to nine months.

We are actually checking on a regular basis; however, the problem is with the connectivity of the data pipeline and the SIEM. It requires attention if there is an alert; for example, if the pipeline is down and we receive an alert that it's not sending information to the log collection platform for more than one or two hours, if we receive an alert, it would be great.

For scalability, I'm not sure in my project as we are using it only for a limited purpose. Maybe, if there was an environment that required more data transfers and logs to be filtered out, it would be good, and I would suggest it.

My engineering team contacts Cribl's technical support; I join the call in case any issues come up and I provide my suggestions.

Positive

Cribl is the first tool that I'm using for this particular data pipelining. We do have Dynatrace, but we use it for a different purpose, for monitoring. Cribl is for streaming purposes only, so the purpose is different. I'm not sure if there is a competitor for this particular tool or not, as I haven't worked with any competitor so far.

The initial installation was kind of easy to understand for me, while my teammates struggled a little bit, so I would say it was okay.

My engineering team contacts Cribl's technical support; I join the call in case any issues come up and I provide my suggestions.

Cribl is the first tool that I'm using for this particular data pipelining.

For everything, my suggestion and limitation as I told, if it were there, I would give Cribl 10 out of 10; since it's not, I'm giving nine out of 10. I am just a user of Cribl; my company has a license with them. I'm not sure if they have a partnership with Cribl or not. I rate Cribl nine out of 10.

Our use cases that we are exploring Cribl for right now are for data parsing and data manipulation.

The feature I appreciate most about Cribl is that it is really easy to use and quick to replicate data models on different data sets. We have over 1,000 log sources, and currently, we have to configure them individually with their own architecture. Cribl allows us to do a copy and paste architecture and saves us a lot of development time. It also makes it easy to add any sort of extra data parsing to specific lines. Ease of use is really our biggest benefit from it.

Something that Cribl could do better is processing time. There is not enough customization to improve performance. An example would be with AWS Lambda functions, the way we were doing it before. There are different strategies where the way we code it could save us more processing time and still have the same price. With Cribl, it is very much set in its ways. If you want better performance, then you have to pay for more resources.

The UI is a very beneficial thing that saves us a ton of time. I mentioned the copy and paste approach and little to no code anymore, as it is all UI interface-based now. There is little to no code that we do other than regex commands. If there was still some aspect of being able to add our own code, we could potentially get better performance. I understand this is the whole use case of Cribl, to remove the technical need aspect. You do not need as many experienced developers; you will pay for software and have to hire an analyst instead of an engineer and save money on wages. For how good the tool is, it would be nice to still have that data engineering aspect.

I have not been using Cribl in my career. We are a company that is interested in investing in it at the moment. However, we do have several teams that have used it and we have also had access to a dev workspace that we have used.

I have not had any issues. So far, everything has been good.

It is pretty scalable, just in terms of cost. If you have any problems, it is probably going to be more about having to pay for more resources.

Currently, we are using Logstash, and we are also exploring a POC with DataBahn. DataBahn is a newer company. They are not as sophisticated as Cribl, and the performance is probably not there, but they make up for it in cost.

Being new to Cribl, the setup was very easy.

For us, it could have been done with one person, but we had different team members involved just for exposure because we were onboarding it with many people. It could have been a one-person implementation, but two to three people would have been a good healthy number.

The current pricing is a little bit above average.

We are using around 25% of what Cribl offers, mainly focusing on log parsing, which is what Cribl started with. We use AWS as our main source of ingestion.

There is little flexibility in pricing. It is simply the market price, and you either pay it or you do not. Cribl has significant capacity to handle high volumes of diverse data types, such as logs and metrics. Cribl can handle almost anything we throw at it, as lonthe g as budget is not an issue.

There is a team in my company that uses them, but they are part of a separate company. We do not have any partnership with them yet.

On a scale of 1-10, I rate Cribl an 8.

Entire logs from my organization go through Cribl and get routed to Splunk and various other destinations. I use it on a large scale in my organization. Cribl Stream is one of my favorite parts. I use Cribl to route the logs to various destinations. It helped us to completely remove the monopoly on Splunk. Not only firewall logs, but also cloud trail logs and many other logs were processed through Cribl.

It helped us to completely remove the monopoly on Splunk, as we previously couldn't have any control over logs and how to optimize them. When we had Cribl in place, it provided a vision and a platform for us to control what we send and how we send it in terms of data passing, data enrichment, and many more things, with massaging the data. It also helped us to open up to many tools where we could send the data to various destinations, as it is vendor-agnostic.

Cribl Stream is good, but I feel they could develop more products apart from Cribl Stream for my use case. I know Search is coming and Data Lake is there, but there can be more innovations in Cribl. They had one good product, which is Cribl Stream, which appears to be the primary revenue source for the company, but there may be many other use cases. They could explore OTel and how to connect with DynaTrace. They are looking specifically for logging, but expanding into metrics and APM would also help.

I have been using Cribl for the past three to four years.

On-premises deployment is something which customers take care of themselves. Earlier versions had quite a few issues, but there are more stable versions now, so it is a good time to start using Cribl.

They are very scalable and good.

They are very good in terms of solving issues. Regarding availability over other time zones, since it is mostly focused on Europe and US, they are starting to build up in New Zealand and other places.

I tried a few other alternatives as POCs, but none of them worked out as effectively as Cribl.

We worked on it for six months. Our infrastructure is complex, so it took almost six months, a couple of quarters.

If you have a good architect and a couple of Cribl staff members to assist, three persons can handle the implementation.

It is feasible and doable. Compared to Splunk, Cribl is cheaper.

Pricing is feasible and doable. Compared to Splunk, Cribl is cheaper.

I tried a few other alternatives as POCs, but none of them worked out as effectively as Cribl.

It has been able to perform to the best of its capabilities. They are able to handle everything with their non-shared architecture. On a scale of 1-10, I would rate Cribl a solid nine.

The use case is for data log optimization and log rerouting. Along with log optimization and log rerouting, we have been using Cribl for data lakes.

Overall, Cribl has improved my organization. The reduction in firewall logs has influenced my data processing workflow. When we talk about data optimization, these events ingested into Cribl are basically the raw info, raw logs. Enhancing those events to optimize, to add new fields or to remove the extra fields that are of no use helps us in log reduction by dumping the raw logs and only ingesting the interested fields, which helps us in 50 to 60% volume reduction.

We can change the log format in case any data feed is ingesting logs in some different format, so we can reformat the logs and send those logs into some JSON format or any other format that is more understandable to any normal person. 

Cribl has been able to manage and take care of a high volume or any outburst of logs. We are able to manage those by creating alerts whenever resource thresholds are being breached so we can scale up the workers.

The best feature in Cribl is the UI, which is user-friendly. Apart from being user-friendly, you can have integration with Git, GitHub, and other config version controlling tools that we need. You can integrate them as well. Currently, I'm using GitHub, so it's quite easy to integrate it with GitHub and use it. We have multiple source integrations available, with multiple destinations being supported by Cribl. I'm using a cloud version which is not hosted in Cribl; it's on our own cloud that we have hosted. It's a containerized version that we are using for Cribl. It's quite easy to patch the Cribl host as well.

Given the dynamic nature, we can create workers, worker nodes on the fly. We can increase or decrease the worker nodes as per our requirements. For knowledge objects, we can have the lookups added and we can do the filtering based on lookups. We can use the custom packs as well to enhance our logs. 

Log enhancement is another feature, and when I say log optimization, this has been one of the best features for Cribl where you can reduce the log size by filtering the selective logs, enhancing the log quality by filtering the requested fields within the logs and filtering out the unnecessary garbage value within our logs.

Another interesting feature is that you can have the logs rerouted to multiple destinations, whether it be S3 bucket or any SIEM solution, any data lake, or any third-party tool. 

Over the period, we have upgraded Cribl, and earlier it did not support multiple sources. Now with the upgrades, it has integrated with multiple new sources and different integration mechanisms such as Wiz, TCP, Syslog; all those functionalities have been excellent.

In terms of areas for improvement, I would say Cribl internal logging has been one of the bottlenecks; that should be enhanced. If we can have more internal logs and more debug logs to validate the error, that would be beneficial because instead of reaching out to Cribl support, we can troubleshoot and find the root cause ourselves.

Currently, Cribl only provides monitoring for the data that is being ingested. If Cribl could store metrics for the data that has been ingested in the past, that would be valuable because there have been certain scenarios where tenants mentioned they are not receiving the logs from the past. There's no way to go back and check whether Cribl received those logs or not. If there could be metrics that could help us provide how much data for a particular week we received, it would be very beneficial.

Another enhancement I would expect is if Cribl could have more dashboards for troubleshooting, which would be very beneficial. I would expect Cribl to provide those troubleshooting dashboards to troubleshoot and try the errors, as it becomes tough to understand where the root cause is when an issue occurs. If Cribl can have more alerts defined in itself, rather than relying on any SIEM solution to forward the logs and configure the alerts over there, having Cribl itself with alerting mail notifications or SNS would be very beneficial.

I have been using this solution for almost one and a half or two years.

I would rate the stability as ten out of ten. The platform has been stable unless there have been unforeseen circumstances such as an outburst of logs that the team has not been informed of. In such cases, I've seen some outages, but this is not caused by Cribl. This has been caused by the source team or the ops team.

Regarding scalability, the current Cribl certifications available on Cribl support are good. User, admin, and edge certifications are very good. I enrolled for one of the certifications that required instructor-led training, but I couldn't find the slots for that.

It's an enterprise version, and we have a good amount of users using this solution.

I would rate the technical support an eight out of ten. I've kept two points for improvisation in terms of internal logging. Given the scenario that whenever there is an issue, we may have to engage support, if they could enhance their internal logging, we won't require Cribl support to engage.

Positive

Deployment is somewhat easy, but I would appreciate it if Cribl can provide more documentation on Cribl deployments. They need to upscale their knowledge base. 

The time it takes to deploy depends on the environment; if the initial requirement is just to have a few workers and the leader spin up, it should not take much time. If the initial setup is huge, then it depends on how many sources need to be integrated and where we are hosting it. If it is Cribl Cloud, it would be easier, but if it's a hybrid one, some complexity depends on the sort of environment you have.

I have not conducted much analysis on the return on investment part, but in the POCs that I have done in different projects and in the current one, there has been almost 30% return over investment available. However, it varies from project to project and requirements as well. If there's a requirement only to do the filtering and enhance the log and optimize them, it has helped, but in those cases where log optimization is not required, only enhancement is required, it has somewhat varied. In the case of optimization, it has helped return on investment to somewhere close to 50%.

Regarding pricing, nothing comes free. Obviously, when we are using Cribl, it has a cost associated, but over time, the licensing cost has increased, given the scenario that Cribl is gaining popularity.

Given the scenario that it's a new tool in the market, it has been promising enough. With the features and functionalities that it offers, it's been very good.

I would recommend Cribl to other users, especially if someone is looking to optimize their logs and do volume reduction. But everything comes at a price. If you are not utilizing it to the max, you won't be able to get a good return on investment. Always ensure that whenever you have such things in place, you have the complete benefits of that particular functionality being used.

I would rate Cribl an eight out of ten.

I am using Cribl to have everything centralized in one tool in terms of data collection. We were working with different Splunk customers, and Cribl helps collect data and then send it to an S3 bucket or Amazon Web Services (AWS) response plan.

Cribl allows us to enforce security for some customers. For instance, if they want to add fields, values, or need to change formats to comply with different security standards, Cribl makes it possible.

My favorite option in Cribl is the Stream product. It is the best use case for us and our customers. Additionally, the community on Slack is excellent for solving questions and getting ideas.

At the moment, I don't have specific feedback on what can be improved as I do not work with Cribl daily. Perhaps more flexibility in terms of metrics would be helpful.

I have been using Cribl for about two years, more or less.

From my experience, I did not face issues with Cribl's stability. However, I heard others have faced issues.

In my experience, Cribl has been perfect in terms of scalability. I did not have any issues.

I haven't contacted them in terms of paid support. That said, the community, including the engineering and sales teams, is available on Slack and is very supportive.

Positive

The initial setup is really straightforward, and the documentation is very good.

I am not aware of the pricing details, however, I know they use a credit format for billing.

Utilize the documentation to ensure Cribl fits your use case, and join the Cribl community for any questions or recommendations.

I'd rate the solution ten out of ten.