I have used Cribl for log volume reduction with SIEM tools including Splunk, Sentinel, and Elastic. The raw logs contained a lot of noise, and Cribl helped me filter unnecessary logs, drop low-value fields, reduce repetitive logs, and remove unused attributes. I achieved 40 to 80% reduction in existing volume, which resulted in faster searches and good cost savings.

Cribl helped me route the same log streams to multiple destinations based on conditions I wanted to implement. Firewall logs were sorted with error messages. Whenever I received firewall messages, different types of traffic were allowed or denied, and there were threats from malware, scans, IPS, VPN connections, and authentication failures. I added context to the logs that was useful for SOC teams, including geo-location based on asset owners and application names. Since firewall logs were highly verbose and expensive to ingest into the SIEMs, I used Cribl to parse and transform them into structured fields, enriching the geo and asset context. I also dropped noise from the traffic we received and routed only threat and deny logs to the SIEM while storing the rest in S3 for long-term analysis.

Whenever I received high volume log metrics, Cribl proved to be the best solution. Using Cribl, I processed millions of data per second from various sources including firewalls, Kubernetes clusters, cloud platforms, and Prometheus, which is one of the primary sources from which I receive data. Cribl efficiently handles high-volume logs and metrics through horizontal scaling, easy filtering, smart sampling, metric cardinality reduction, and tiered routing. This ensures performance, cost control, and reliable observability even at massive scale. I primarily worked on the scaling part, including auto-scaling, and I also used load balancers to balance the load between worker nodes and the leader node.

Cribl reduces data complexity by normalizing log formats, handling schemas, flattening nested data, and reducing high cardinality fields. I worked with instances where I had different JSON files and set cardinality fields including request ID, session ID, and pod UID. By applying conditional parsing, flattening JSON nesting files, and removing high cardinality fields, I simplified downstream analytics and reduced ingestion cost by almost 60%. In our projects, each team works on particular domains, and I was specifically working with load balancing, auto-scaling, and routing data to destinations. Cribl is one of the most reliable solutions I have worked with, and it has provided a user-friendly experience. Whenever I wanted to access data from years back to check for seasonality impact, Cribl helped me accomplish this. I believe that if this feature works well, the other features will also work seamlessly.

Cribl is one of the best data pipelining platforms, and with all the features that have been upgraded over the past three years, it has been seamless. Although it is on an expensive side compared to competitors such as Edge Delta and many other platforms, Cribl is one of the most secured solutions. When data passes through or when I store any data in hot tier, cold tier, or archive storage, it is very easy to determine which data to keep, and the data routing process is seamless when compared to other platforms.

Regarding the UI, depending on the configuration, the home screen shows me how the system's health is, including the ingestion rates and how events are working in per second. Throughput charts are available, and errors or warnings also pop up. The UI is well-organized for me. Whenever I log into Cribl UI, I directly go to the streams to classify the incoming logs and then create a pipeline using the drag-and-drop builder. I do not need to write full code because it has drag-and-drop functions. I choose functions such as Parse, Eval, Drop, and live events preview to test against sample events. Once this is done, I assign routes to destinations. The particular destinations I worked with include Splunk and Stream. Finally, I monitor the throughput, errors, and metrics dashboard and adjust as needed. Cribl follows a very systematic approach in the UI part, and it is a hassle-free solution for developers to work on.

I have not worked with Cribl Search very much, but I have worked extensively with Cribl Stream. From my certification, I remember that Cribl Search's Search-in-Place feature allows me to query data when it is already living. Without re-ingesting data into a SIEM, I can search it through Cribl dashboards. For example, I keep data in the SIEM for 7 to 14 days, for months or years in object storage. Cribl Search allows federated on-demand logs and metrics. When platforms can access data without ingesting it directly into the SIEM, I can directly use the on-demand function, and it is mainly used for cost-effective historical search or investigations that have already been done in past years. This Cribl Search feature helps me check seasonality impact, such as comparing last year's revenue percentage to this year's revenue. This helps me make better decisions about the market. Since my client is Microsoft and I ingest heavy amounts of data every day, Cribl has been handling this very well.

To improve Cribl, I would focus on comparing performance and architecture with other tools. High volume efficiency can be made more seamless, such as improving the identification of noisy sources via metrics and sampling repetitive logs. This feature already exists, but I am talking about how to make it more efficient. I will focus on the high volume data part, reducing data complexity, making performance metrics more visible, and the dashboard can be more interactive. Integration of AI tools can be much more helpful. I am pretty sure that the developers of Cribl have been working on that and an update will come soon with AI integration. However, I need to ensure that data is secured as much as possible because data security is non-negotiable for data engineers.

Cribl is a very interactive application for me and one of my favorite applications to work on. I hope to have more opportunities to work with Cribl. The cost part is very high compared to alternatives such as Edge Delta, which offers much cheaper prices. However, price comes with a cost, and speed and security come with a price.

Integrating AI is one of the most valuable improvements. It will most likely be Copilot because I do not think OpenAI will agree to integrate with Cribl, or Cloud may also come in, but I believe Copilot will be first. Integration of Copilot will be a big advantage for everyone. I would not need to run scripts or go back to documentation to check function syntax because there are many functions I need to use in day-to-day life, and it is very hard to remember every function syntax. When I integrate AI, it will directly help me get the functions. I just need to provide the prompt needed, extract the data from the Copilot chat, and use it in my day-to-day life. My overall review rating for Cribl is 9 out of 10.

I have been working with Cribl for three years and two months.

I have faced only one or two instances with the login part, but it was due to maintenance. The Cribl platform was not accepting my credentials during that time, but it was resolved quickly. I have not come across any customer-facing issues, so I would not be able to provide additional details on that.

Whenever I received high volume log metrics consistently, Cribl proved to have the best capabilities. Using Cribl, I processed millions of data per second from various sources including firewalls, Kubernetes clusters, cloud platforms, and Prometheus, which is one of the primary sources from which I receive data. Cribl efficiently handles high-volume logs and metrics through horizontal scaling, easy filtering, smart sampling, metric cardinality reduction, and tiered routing. This ensures performance, cost control, and reliable observability even at massive scale. The primary thing I worked on is the scaling part, including auto-scaling, and I also used load balancers to balance the load between worker nodes and the leader node. Auto-scaling is available and automatically adjusts the scaling part.

I have not worked with other solutions directly, but recently I had an opportunity to speak with the Edge Delta founder who wanted me to review Edge Delta versus Cribl. In that discussion, I remembered some points such as high scalability and auto-scaling being features in Cribl and not in Edge Delta, but Edge Delta may be able to compete on price at some point. When they integrate AI, there may be some additional advantages. Since I work for my organization, the organization bears the whole cost, and I have not directly purchased Cribl software. There are some features that could be included in the basic package, similar to Power App tools in Microsoft. There are many advanced features that require paying additional fees. Some basic features could be added directly to the subscription plan rather than being offered as custom configurations or particular add-ons.

The setup was straightforward with no complexity. Every application nowadays has a seamless experience, and three years ago when I was getting into Cribl, it was already very interactive for me. One additional observation is that there are not many learning videos for Cribl on YouTube platforms or free learning platforms other than Cribl University. I think they will slowly integrate into other streaming platforms as well so that it will be more helpful for users to get into the application.

I did not require an implementation team. When I signed up with credentials, I created an account by signing up with all the details and filling out the form using Cribl's payment gateway. I followed the same process as I would for AWS or Azure. I did not use different options to buy from the Azure platform. I received the credentials directly and just logged in with them. When I was getting certification, I was redirected to their website to buy directly, not from any vendor apps.

The most talked about point for Cribl is that it is one of the most seamless applications to work on. The speed at which it processes data and handles high ingestion volumes is why it is one of the most expensive platforms. I have not worked with anything other than Cribl, so I am not able to compare. However, since my client is Microsoft and I ingest heavy amounts of data every day, Cribl has been handling this very well.

I have not worked with Cribl Search very much, but I worked extensively with Cribl Stream. From my certification, I remember that Cribl Search's Search-in-Place feature allows me to query data when it is already living. Without re-ingesting data into a SIEM, I can search it through Cribl dashboards. For example, I keep data in the SIEM for 7 to 14 days, for months or years in object storage. Cribl Search allows federated on-demand logs and metrics. When platforms can access data without ingesting it directly into the SIEM, I can directly use the on-demand function, and it is mainly used for cost-effective historical search or investigations that have already been done in past years. This Cribl Search feature helps me check seasonality impact, such as comparing last year's revenue percentage to this year's revenue. This helps me make better decisions about the market.

To improve Cribl, I would focus on comparing performance and architecture with other tools. High volume efficiency can be made more seamless, such as improving the identification of noisy sources via metrics and sampling repetitive logs. This feature already exists, but I am talking about how to make it more efficient. I will focus on the high volume data part, reducing data complexity, making performance metrics more visible, and the dashboard can be more interactive. Integration of AI tools can be much more helpful. I am pretty sure that the developers of Cribl have been working on that and an update will come soon with AI integration. However, I need to ensure that data is secured as much as possible because data security is non-negotiable for data engineers.

Cribl is a very interactive application for me and one of my favorite applications to work on. I hope to have more opportunities to work with Cribl. The cost part is very high compared to alternatives such as Edge Delta, which offers much cheaper prices. However, price comes with a cost, and speed and security come with a price.

Integrating AI is one of the most valuable improvements. It will most likely be Copilot because I do not think OpenAI will agree to integrate with Cribl, or Cloud may also come in, but I believe Copilot will be first. Integration of Copilot will be a big advantage for everyone. I would not need to run scripts or go back to documentation to check function syntax because there are many functions I need to use in day-to-day life, and it is very hard to remember every function syntax. When I integrate AI, it will directly help me get the functions. I just need to provide the prompt needed, extract the data from the Copilot chat, and use it in my day-to-day life. My overall review rating for Cribl is 9 out of 10.

My primary role involves transforming customer's DDI environments to newer environments, migrating things from legacy platforms to newer platforms. A couple of my clients had the challenge of log analysis. DDI or DNS DHCP and IPAM environment logs are quite large. When the logs need to be sent to SIEM, Splunk, or any other log analysis environment, the licensing cost is substantial. They were looking for options to leverage this and reduce log size while maintaining visibility. I came across Cribl, a beautiful product that fascinated me. I was also evaluating a couple of other products including DataDog, but Cribl fascinated me because you can customize your requirements. Based on your requirement, you can channelize the logs, make the logs available as needed, and deduplicate things. Many things can be done in Cribl environment. I worked along with the LogStream team with the clients and we set up Cribl environment to pass logs from the DDI environment to Splunk.

In my current field of DDI transformation as an enterprise architect, I have close to 22 years of IT experience working as an enterprise DDI architect.

Cribl handles high volumes of diverse data types such as logs and metrics very efficiently because the data volume is managed very efficiently. Cribl is primarily for reducing the data volume and log volume. Analytics is the area where they need to improve. When passing query logs or DNS logs, if certain malicious query patterns need to be identified or if fast-flux attacks are happening, Cribl can report that and those would be definitely a plus for them. Even if those features are there, or may not be there, I couldn't find those options in Cribl. That's one area where they need improvement. Out of the box integrations with different DDI platforms would be definitely a plus. I couldn't explore much into those areas.

What I like most about Cribl is basically two things. One is the data reduction. When passing syslogs, syslogs are huge, ranging from gigabytes to terabytes in size. When the syslogs need to go to the security operations team or security team for log analysis and event monitoring, it's a nightmare for them to analyze all the syslogs. Cribl intelligently formats them. It intelligently extracts the data from the syslogs and then reduces the size of the syslogs by almost 30 to 40 percent, which I have seen practically. It removes any null values that are not required. It strips down whatever is required and just discards whatever is not required.

Secondly, sometimes in the logs, you find some unnecessary information, such as just an IP, some site ID, or what we call the circuit ID. Cribl fetches GeoIP information or checks for the reputation of domains if DNS queries are going to certain domains. Based on RPG response policy zone files, it adds those additional fields to the log so that the logs can be enriched. When the traditional logs don't show the accurate values, this makes them more user-friendly and more user-readable format. Those are basically the two things that I appreciate about Cribl. It basically presents what is required out of a syslog output.

I have been using Cribl for somewhere around two to three years.

What I dislike about Cribl is that it represents my direct pain point. I basically do DDI migration, which is transforming a legacy architecture to a newer platform. My expertise is in Infoblox DDI. If a customer environment is running with Microsoft or some old bind Linux based DNS DHCP solution, I consult them and if they are willing to move to Infoblox DDI, I help them migrate. The only thing is when we are doing the integration of Cribl, Cribl doesn't have any out-of-box customization packs for Infoblox. Whatever is available is only in the community. I need to go through the community page, download each customization pack or many filters and check whether that filter applies or not. Nothing is out of the box from Cribl. I have sent a couple of requests to Cribl earlier. If these could be available, because Infoblox is a market leader in the DDI segment and if Cribl has a native integration with them, then putting out-of-the-box integration with Infoblox with some filter packs and customization packs would be great for Cribl LogStream.

Analytics is the area where they need to improve. When passing query logs or DNS logs, if certain malicious query patterns need to be identified or if fast-flux attacks are happening, Cribl can report that and those would definitely be a plus for them. Even if those features are there, or may not be there, I couldn't find those options in Cribl. That's one area where they need improvement. Out of the box integrations with different DDI platforms would definitely be a plus. I couldn't explore much into those areas.

I haven't used the new Search in Place technology feature of Cribl Search as of now because my recent engagement with a client where I deployed Cribl and the Cribl log analysis log channel was not there. If I get any chance to deploy for any other client, I will get through that feature.

Regarding Cribl's user interface when managing log processing tasks, the newer interface looks cool compared to the initially clumsy interface. However, those aspects can be improved. I have seen that when switching between dark theme and white theme, some text is not visible clearly in the dark theme and the graphs are very hard to read. If they could improve that, it would be great.

The initial deployment of Cribl is one area where it needs to be improved because the initial deployment takes some time. Specifically, for complex platforms such as an Infoblox DDI platform where there are no out-of-box customization packs available, you need to go through community portals and Cribl community blogs to find scripts and customization packages. It takes some time, but once that is set, it becomes easy. It's quite easy after that.

I have been using the solution for two to three years.

I haven't contacted technical support because we couldn't have gotten any outage or situations where it was not working. I just worked for in small stints for different clients, so that's why I didn't contact technical support on those things. The self-help things and documentation are really good. Cribl has certain videos available where you can go through them and get knowledge.

Cribl doesn't require any maintenance on my end because on the DDI side, no maintenance is required. When sending the log to Cribl, Cribl is passing the logs but storing them. Maintenance will be only required if it's hosted on a VM and the disk space becomes less, then you need to increase the disk space. Basically that is taken care of by the VM team. Ideally in every enterprise, the virtualization team or data center team is different. For the storage issues, they can take care of that. Cribl is just passing and storing the logs. If Cribl is passing on device, then they need bigger storage, and if the storage is becoming less, then they need to increase the storage. That is the kind of maintenance I see, not from the source side.

Cribl is definitely scalable because you get a platform which is kind of vendor-agnostic. Today, you have one platform, maybe a client is using Infoblox DDI, so they are sending the logs to Cribl. Tomorrow, if some other platform they are using for DDI, the log analysis channel or the log plane doesn't get affected with that. If tomorrow you need a little more processing or analysis, you add more instances of Cribl and that becomes scalable. You can scale it horizontally. Vertically also, you can add storage. Both ways it is scalable, horizontally and vertically.

I haven't contacted technical support because we couldn't have gotten any outage or situations where it was not working. I just worked for in small stints for different clients, so that's why I didn't contact technical support on those things. The self-help things and documentation are really good for them. Cribl has certain videos available where you can go through them and get knowledge on that.

The initial deployment of Cribl is one area where it needs to be improved because the initial deployment takes some time. Specifically, for when you have a complex platform such as an Infoblox DDI platform where there is no out-of-box customization packs available and you need to go through community portals, Cribl community blogs and find the scripts and customization packages, it takes some time. Once that is set, it becomes easy. It's quite easy after that.

One or two people can deploy Cribl. That's not a big deal. You don't need a big team to deploy it. At most I can tell two people, that's all.

I still have no idea about pricing because pricing and price point is basically determined by the customer with whom I work. It's taken by a very separate team, the finance team, and they decide on what price it should be. What I have seen in my implementation career with Cribl is that the licensing cost of Splunk is significant because Splunk is volume-based licensing. The more volume of data you are sending, the price also increases. Whatever they save from the Splunk side is ideally adjusted in Cribl pricing. It's a win-win situation from both ends. You save price from Splunk and you use Cribl and eventually you have a lower TCO, lower total cost of ownership at the end.

When I was looking for these kinds of solutions, I had come across DataDog and Kafka. Those are not easily available and cross-platform as Cribl. I couldn't explore more into those other alternatives. I got a good product and I stick with that. I didn't check for others.

Regarding firewall logs, I can't directly tell you the exact information because my firewall is not my area of expertise. I have definitely seen logs decrease in the Splunk logs for a DDI platform with Cribl. If Cribl forwards the logs of firewall to Splunk, then definitely there will be a decrease in the firewall log, but I can't tell exactly how that would be. I have given this product a rating of 9 out of 10.

We use Cribl for log management.

Cribl has the ability to send data to different destinations, making it a vendor-agnostic tool. For log management, we can parse values or enhance fields at Cribl level and then send it to different destinations such as S3, Splunk, Elastic, or other destinations. This feature is the one I love most because it acts as an intermediate heavy forwarder which can route data to different destinations.

Cribl is intuitive and user-friendly in navigating the UI.

Some of the integrations such as SNMP need improvement, and I feel Cribl should improve on SNMP integration and also on the database monitoring space. These two areas need improvement.

I have been using it for one and a half to two years.

Cribl handles volume of logs effectively. In case of any issues, Cribl support does their job in resolving the issues. Overall, it handles the volume of logs very effectively.

I rate the technical support for Cribl as nine out of ten.

Cribl is solving these issues and bridging the gap. There is Splunk which is equivalent to Cribl, but Cribl is currently leading in this space. There may be other alternatives, but they are still in evolving phase. Cribl is a mature product.

Cribl is easy to deploy. Spinning it up does not take much time, just about a week's time. However, getting the data in and configuring those destination sources will take time.

For scalability, I would rate it as nine out of ten.

I am not aware of the data cost. However, Cribl solves the complexity of having different agents installed. If we shift from Splunk to Elastic, we would have to get a new agent installed and point our applications to Elastic. With Cribl, it solves the complexity of having multiple agents in between and forwarding data. We can forward it to Cribl and then Cribl can send it to wherever we like. This kind of complexity is something it solves.

Big businesses use Cribl.

I assess the stability of Cribl as eight out of ten. I recommend Cribl for others looking to implement this product. I would rate Cribl overall as eight out of ten.

Transform data and reduce ingest licencing in other products (Splunk).

I have seen a decrease in logs with Cribl, but I think a lot of people expect it to decrease significantly; we are just slowing down the increase. People need to take into account that the log growth is exponential. I think this is a good takeaway. Also you get your investment back the moment you prolong your other solutions where the ingestion has decreased not sooner.

I think that most people use Cribl Stream, but not the other products; they mainly have the use case to reduce data. To get the other products to work for customers, there need to be better solutions, and it needs to be crystal clear what the product will bring them.

Searching data on the source, is not yet wanted/allowed by companies due to (to my opinion) outdated security rules.

that the right data is in the right place. talking about transforming and only sending the parts of the logs that are useful, reduce of noise.

I think the best features in Cribl are that you can do everything via the UI, making it very user-friendly, and you can see examples of the data live to preview your processing.

Using Cribl for five years has simplified a lot of use cases when onboarding data, and because it is simplified, it takes less time, which is a huge win.

I think a lot of companies would benefit from a smaller starting license. Perhaps make it free till 100GB for 1st year, that way companies will adopt easier.

I have been working with Cribl for five years.

I would rate the stability an eight out of ten because, although I rarely experience downtime, I would say it's an eight out of ten.

Cribl works fine if you scale properly, handling high volumes of diverse data like logs and metrics effectively.

Cribl is scalable for my organization and I would rate it a nine, but when onboarding a new data stream, it is sometimes hard to know how much impact it will have in your environment. Based on some calculating figures, you don't know beforehand what the impact will be.

I would rate the technical support for Cribl a nine.

No, other companies offer bits and pieces of what Cribl does, but not a comparable solution.

My experience with the deployment of Cribl is that it's really easy.

It takes a day to instrument Cribl, but onboarding all the data takes weeks.

In my company, Cribl is purchased directly, but in another company I worked with, it was via a partner.

Its an easy win for larger companies, other ingestion costs are for instance 600 dollars per GB per year and cribl maybe like a 100, thats a 500$ win per gb, so easy to get money back. the starting license however is 1tb which might by a drawback for smaller companies.

Its an easy win for larger companies, other ingestion costs are for instance 600 dollars per GB per year and cribl maybe like a 100, thats a 500$ win per gb, so easy to get money back. the starting license however is 1tb which might by a drawback for smaller companies.

I think Cribl is quite a unique product with no real competitors; there are competitors that do bits and pieces, but not the full product. If you take Splunk, you can do bits but you cannot send your data to other platforms, so it isn't really a comparison.

There are no cons for Cribl that I can think of.

Approximately 15 users work with Cribl in my organization because we don't allow everybody access, so it's local.

Cribl does not require much maintenance; just some updates from time to time, but those are really easy.

I do not use the new Search-in-place technology in Cribl Search because it's not allowed in the company that I work for.

I give Cribl a nine because it is very simple to use and it covers a lot of use cases. Best part is you can talk directly to developers / technical support on slack.

My use case is log management. The problem was in Sentinel where Syslogs park in a separate table and CEF logs park in a separate table. We were planning to convert the Syslogs to CEF format, which was not easy in Sentinel. Cribl helped us accomplish that.

There were many applications working in the client environment with ingested logs that had different column names. We normalized those using Cribl.

I appreciate Cribl's overall flexibility. If I can use regex, I can write KQL things in the pipeline. The built-in functions, which are really good, are very helpful.

I value that Cribl shows the payload before conversion, after conversion, and what has been transferred to the destination. This transparency is really great.

Cribl is intuitive. A user can easily see how the payload or log looks before conversion and how it looks after conversion, and what has been transferred to the destination. This makes it very interesting and intuitive for the user.

I don't think there is much complexity because the documentation is good and Cribl University helps a lot to understand the product. Cost is sometimes a problem with customers if they don't have budgets. Otherwise, it is not that much. The value addition that Cribl provides compared to the cost is significant.

Cribl is easier to use. The only area that Cribl should focus on is cost-effectiveness. I have deployed Cribl at four clients, and the major challenge in convincing them was the cost.

I have been a user of Cribl for the last three years.

I don't think any of my customers have required maintenance or generated a ticket complaining about any problems in Cribl. It's working fine.

It is manageable. It depends on how you manage it. If you manage smartly, then there is no problem. Otherwise, sometimes one or two logs can create a problem.

I encountered technical support three times and I must rate it as eight out of ten. It was really awesome and very supportive.

I would rate it as nine out of ten. During deployment of four customers, I had to contact the support team only three times, and that was also my fault. There was not a problem in the product. Cribl is very stable and a mature product.

I have worked on Virtual Metrics, which is a Dutch solution, and Ninja, which is something else, but they also provide similar services. However, Cribl is a very mature product.

I have seen a few more tools like Virtual Metrics and others, but Cribl is on top.

If you have gone through the documentation properly and completed Cribl University's courses, then it is easy to deploy and implement. It is not a difficult thing.

Currently, I am not pursuing a partnership. Earlier, we discussed with Cribl, but then we decided to go for three to four years without any partnership, and later on, we will look into it. Maybe in 2027, we will discuss with Cribl to develop a partnership, like becoming a reseller.

If I count the total of four customers, it is almost 23 users.

I have not used it until now, but I am working on Cribl AIDI, the AI feature which has been recently given in Cribl. I am learning in that area.

I think it will reduce my workload a lot. It will manage many things on my behalf if I successfully use it in a smart way.

I have seen two other solutions which claim to be competitors to Cribl. If I compare with them, I will give ten out of ten to Cribl. It is a very detailed and very mature product.

It depends on whether your use case is strong enough and you think that Cribl is the only solution which can solve your problem. If so, then cost is nothing. Otherwise, it is a little expensive.

First, when I feel that any of my customers should deploy Cribl for their use case, I discuss it with them. If they don't have budget or any constraints, then we look around. Otherwise, my first priority is always Cribl. Going with my first customer, I was a little hesitant to deploy Cribl. However, once I deployed it at my first customer and seen the results, I had evidence. Then my first priority became recommending Cribl.

Basically, it is not my area, but if you convince the customer and the end user upon the value addition that Cribl will provide them, then cost is a secondary thing.

I give this review an overall rating of nine out of ten.

My current use cases mostly involve using Cribl before Splunk to reduce the license by normalizing the logs, by reducing the raw data and dropping the unwanted data. Cribl can process different formats, and the team can easily adopt it, so any data will be modified. These are the use cases, as I mostly use Cribl for Splunk purposes. Additionally, if I am required to send the data to other destinations, I can use Cribl because during a migration process, I typically have two similar solutions to send the data to those two particular destinations.

For instance, if auto information is not available, Cribl will remove it from the log itself.

If the firewall logs are needed for security or IT purposes, I can easily send them to different destinations.

What I like the most about Cribl is its Web UI feature, which is totally user-friendly and has many functions that can change the data structure. That is the main thing I appreciate. I can also reduce the size of particular items, and since Splunk's license is high, this functionality is very helpful. This is the main feature, but for this purpose only, I am using it. Most of the tasks are handled in Cribl, which makes it easier for Splunk to parse the data and maintain SIM compliance.

Cribl handles high volumes of diverse data types, including logs and metrics, quite effectively. It has separate handling for metrics and can manage them easily based on size. Prior to handling data, the appropriate memory size for the CPU needs to be determined to accommodate a higher amount of logs and metrics.

Cribl acts as a super product because it enables one source to send to multiple destinations using only one copy.

To develop user skills in Cribl, it needs to improve some certifications, as the ones I have taken are not entirely helpful in the main projects for the clients. The documentation requires more improvement in the certification aspect to better develop user skills.

I have been working with Cribl for two years.

Cribl's stability is good, with no issues present. I have been working with it for two years, and it is only helpful in changing the data.

For scalability, I would mark it as nine out of ten.

I have contacted the technical support for Cribl, and I found their service to be good. I faced an issue for one of my customers who couldn't send the universal forwarder internal logs to display in the monitoring console. They quickly resolved this by enabling something in their worker, allowing the customer to receive all the information they required.

I have not used any alternatives to Cribl; there is no similar product I have utilized.

The initial deployment of Cribl is easy, with a few steps similar to Splunk. The installation process is straightforward, and ample information is available in the documents. All the documentation can be found in Cribl university.

I remember that it takes approximately two hours to fully deploy Cribl for the first time, especially for clustering. For the deployment of the leader and the workers, if all the requirements are met, including network requirements with no port issues, I can deploy Cribl base within that timeframe.

One person is enough to deploy Cribl; a team is not necessary.

I have seen a decrease in firewall logs with Cribl; I have almost a thirty percent decrease when estimating usage. Cribl effectively reduces unwanted logs, eliminating what is not required or what is unavailable.

Regarding pricing, I find it okay because Cribl is used to reduce the costs associated with Splunk. Comparatively, the Splunk license pricing is acceptable, so I have no issues with the pricing. Customers prefer to use Cribl instead of the Splunk license due to these benefits.

I have not used any alternatives to Cribl; there is no similar product I have utilized.

I have no dislikes about Cribl, but I notice that there is only an extra product in between when using Splunk. However, if I have different destinations, Cribl acts as a super product because it enables one source to send to multiple destinations using only one copy.

Their ongoing improvisation means they are consistently getting new features, and they are continuously improving.

I would give Cribl a score of nine out of ten.

I was not regularly using the same tool, but there was a time when our team needed to migrate some data from one tool to another, and during that data migration phase, we used Cribl for six to seven months. We did some coding from Splunk to Elastic to send our data logs.

Our use case was majorly to migrate our data from Splunk to ELK, which are two different observability platforms that we use in our team. Because our team was switching to Elastic, we needed the same data that we use in Splunk. In Cribl, we created pipelines and data routes to share the data. The admin side clipped the IP address from Splunk into Cribl and from Cribl to ELK, whatever the scenario was for them. Majorly, we used it for the data migration.

When managing log processing tasks, I would go with the first option regarding the user interface; it was pretty simple. It took me some time to understand the logic and how to create pipelines, but with some time, I got really comfortable, and I would really recommend it. The UI was nice, easier, and faster. In the beginning, it was a bit tricky, but once you get a hold of it, it is really nice to use.

The things that you mentioned were easy to use, and since we did not have any experience in Cribl, it was easy to code. Index is equal to this and all that; that was pretty easy. Setting our pipelines, setting the data routes, and understanding those things was pretty simple. I really liked that and the interface. When I write code, I can see on the right-hand side that the events occur. Input and output, those sort of things, I really liked all of that. It made it pretty easier to understand the data and what we had filtered there.

In Cribl, I feel that maybe I am not aware of it, or maybe it is already there, but I think if there was a way to learn more about it. There are a lot of areas to explore. For example, if my work is only around creating pipelines, I am only expert in that. If I would like to learn more about the other things that Cribl can do, I feel there is not a lot of learning material. Or maybe I have not searched enough; maybe there is because I remember we learned from Cribl only. There was a Cribl course, and then we got a little idea of it. But if I want to explore particularly in one area, like a tool can do a lot of things, so if I want to learn about the 'B' section, how it does, what it does and all that, I feel there should be an easy manual or something. Maybe there is, I am not aware of it. That is what I thought; the application was nice. After some time, we were really comfortable. But if I want to learn more, can I get those manuals easily in the market and all that? I am confused on that part. Maybe there is, but maybe I am not aware of it.

Again, maybe I am not aware of it, maybe there is already. If there is, then nice. If in the future I would like to learn more, then maybe I will go there. But if not, that would be really nice because people are really interested in this tool when it comes to migrating and all that.

Six to seven months.

The tool is stable. I would rate it a nine.

There are times when the data is not present in the second tool, the output tool. People do some monitoring on Cribl's side to see if someone turned off the data set or something like that. I think it requires a little maintenance in six to seven months, or if there is a bug. But I am not sure if that is a painful task because I am not around for that. So I am not sure how much painful that is, but I think it does require some maintenance in short to long term, at least once.

Technical support, I think nine. Nine or 9.5. Whenever needed, there were Cribl experts and all that, so they were able to resolve anything. If they needed, the support team was always there. I would say 9.5.

I have only explored Cribl, and I did get a sample box for other tools from some people on LinkedIn, but I have not tested it out. Maybe if I was primarily working on this tool, I would have explored those things. But I have not, so I am only aware of Cribl. I cannot compare with others since I have not tried them.

The initial setup process was straightforward.

I would rate the return on investment a nine.

I am not aware of the pricing because I was not a part of it. We were developers. But as far as I understood, I think it is a bit expensive. I am no one to complain, but there was this person on LinkedIn who mentioned they also have a common tool like that, and they were saying that they have a cheaper way to do it. I heard that this might be expensive. Since the cost area was all on the admin side and the architect side, we were not in the loop with the costing, but I have heard that this is expensive. There are other tools which can do the same job cheaper, but I think they also might miss some of the advantages of the tool.

Many filters we use really decreased the number of events going on, but not in the firewall. I am not aware of that; I am not an expert in that area.

Regarding the ability to contain data cost and complexity, I felt it was pretty easy. Because of the routing system and all that, I can manage my data in a certain way that you have to filter out this and that. I would say it was nice.

I do not think regarding the new search and place technology feature of Cribl Search. Maybe if I have used it, I do not feel that I remember that part, or maybe I have not.

I have mostly positive feedback with no reason to say no because I am not paying or anything, so I am not aware of the cost. Mostly because of the positive reasons, I would say it is easy to use, it is sustainable. The support is nice, the coding is quite easy to understand, there are a lot of functionalities there. You can do a lot of things, and the data migration is very easy. For all these reasons, if you are stuck between two things and majorly what our team did was use it for migration, you can always rely on Cribl. My overall rating for this product is nine.

My usual use cases for Cribl involve collecting logs from many endpoints, including user activities. We collect logs into either Log Analytical Workspace or Event Hub and redirect to Cribl so that Cribl filters the required logs and redirects them to the SIEM tool.

We do not get a chance to use the user interface of Cribl because our client has access to that; we only implement and do that. They will check whether it is there, but based on my experience, it will be pretty easy to see what is in the user interface, and it will be easy to manage as well.

We have not used Cribl Search to a large extent because the client requirement was to only implement Cribl and integrate it with the SIEM. We have not used Cribl Search extensively, and I do not have any information about it.

The features of Cribl that I prefer most include the way it can easily be interfaced to SIEM and Event Hubs in Log Analytical Workspace. From Sentinel and from any other tool, it can easily be interfaced and it can send data to SIEM; those features I prefer to use most.

In assessing Cribl's ability to handle high volumes of diverse data types such as logs and metrics, as of now we have not faced any problems in collecting a large number of logs. Cribl is pretty efficient in collecting logs even when there are too many logs flowing at a time. We can collect not only server logs but also OS logs and even audit logs without any difficulty, and there has been no blockage in the system. There are no complaints, but it has been a very good experience using Cribl. Since this is a software as a service, if any problem exists, we just raise a ticket to Cribl team, and they will immediately jump into that and resolve all the questions or queries we raise.

Regarding Cribl's scalability, we did not have any problems with any cloud compatibility. The client requirement was to use Cribl, and we were checking whether it is compatible with Azure. Within a single day, we got a solution that it is easily compatible. We just needed some prerequisites, such as opening a few ports, and we wanted to ensure that everything was working regarding the reachability of the client to the agents. Once this was done, we did not have any issues.

I am not in a position to comment on how Cribl could be improved or enhanced because it is a good tool, and I have only used a small part of the entire Cribl product. As of now I am pretty happy with the entire Cribl component, but there are still a lot of things to learn.

I have been working with Cribl for the last six months.

In assessing the stability and reliability of Cribl, as of now we do not have any problems with stability. Even though we had two worker nodes in one region and a load balancer, we did not face any system issues. In case of vulnerability where we wanted to patch any one worker node, we easily did that and switched it on. We never faced a problem where some software was not there and therefore not working. Reliability-wise, Cribl is working perfectly fine.

Regarding scalability, we started with zero servers and have around 285 servers now. We did not experience any problems or slowdowns due to a lot of load. Cribl neatly managed everything.

I can rate Cribl's scalability around 9; I would say 9.5.

I have addressed the technical support team of Cribl. Every now and then, if there are servers having legacy operating systems, the latest versions of Cribl will not be supported. We have to contact them and ask which version will be supported because they have prerequisites. Based on the prerequisite, we have to downgrade to an older version of Cribl rather than use the newer version because it expects some advanced Java version. However, due to legacy systems, we do not get all those things. We manage this because those are all crown jewels of the client, and we do not want to change anything there, so we downgrade Cribl version and install it. We did not find any blockers because of this downgrading.

The skills and professionalism of the technical support team from Cribl are very good in terms of timing and skills. They understand the problem clearly, and once they understand it, they will resolve it within a day. Sometimes they resolve it within hours. Sometimes by hearing the problem itself, they will know what the solution is, and they will let us know how to resolve it, and we do it immediately.

I left the organization and I am no longer in the same organization, so I do not get a chance to work with these products (Darktrace, Microsoft Defender, and Perception Point Advanced Email Security) anymore.

For deploying or setting up Cribl, the requirements were given by the client, and we had to abide by that. Cribl was the only tool we had to use according to our requirement. We started with the deployment where they had given the requirements, and then we started with that and performed it successfully, starting with installing agents in all other servers.

The deployment and setup process of Cribl was straightforward because there are two ways to deploy. We can get an EXE, click and enter the details, or there is an automated script where we can run it and it will do it automatically. In the case of Linux, it will update and install the latest package, which is also quite easy. It is not a very tough thing to install any agent inside the system. It is pretty easy.

For support, we always raise a ticket to Cribl. We do not get the entire thing, but support activity is what we get. I have just implemented and I have just redirected the logs into Cribl for collecting all the security loggings.

I am an end user of Cribl. We manage Cribl for only implementation. As we have just implemented it, I am using it in our organization.

In sharing my thoughts on Cribl's ability to contain data cost and complexity, nowadays because of events per second, the way of SIEM billability is based on events per second. If you inject logs into Cribl, we can save a lot of data. Many logs are repeated logs. We can easily avoid repeated logging into the SIEM, which will also reduce the fatigue for the SOC engineers. This is one positive aspect of using Cribl, as we can reduce the number of events and increase flexibility and efficiency in the environment.

I'm not sure of Cribl pricing because it has been procured as a package by our client, and we are not exposed to or do not have an idea of how much they have spent to get a license from Cribl. But I understand that it is a little bit on the higher side. However, for what we have paid, the quality of service which they have provided makes us happy with that.

I do not think that if the pricing is on the higher side, it could be suitable for all types of users, such as small or medium ones. Each security component is important these days, and I feel Cribl usage always helps the product. However, it also depends on the budget they have. If they are able to use Cribl as a log monitoring tool for the SIEM according to their budget, it would be good. Again, there are pros and cons which we have to consider about their budget. If it is a very small organization, Log Analytical Workspace would be enough to collect all the logs. But if it is a big organization and budget is not a concern, I think they can go for log monitoring.

I have not seen a decrease in firewall logs with Cribl so far. What we do is use Event Hub. We actually redirect the entire thing to SIEM, so it will not come via Cribl. It will come via Cribl, but it will filter the required things based on our use case. We do not write all the packets because most of the packets would have been filtered in the firewall itself. Whatever packets are coming towards the firewall, if we want to collect the logs, we are directly interfacing with SIEM and we will collect it from there so that we do not want to lose what is the external activity on the internet towards our environment.

Based on everything I just described, I would rate Cribl overall as 10 out of 10. I have not used other parts of the feature; for whatever log monitoring I have used for Cribl, I always try to rate the maximum. However, I have not used Cribl Lake, Cribl Search, and other things they offer, so I cannot comment on those.