Our main use case for Cribl is to help us reduce cost. Currently, we use the Stream and Edge products of Cribl, and it's on-premise for us. The Stream helps us with any optimization work that we have to do in terms of reduction of the data itself.

The Stream product benefits us by giving us the ability to reduce and streamline the logs flowing into our SIEM. Cribl Stream helps us optimize the data before it reaches our SIEM tools. We've performed extensive aggregation and deduplication of logs, allowing us to cut down unnecessary data before it's sent downstream. This has helped us reduce costs by controlling exactly what data gets forwarded to the SIEM.

In our case, we deal with very chatty logs, especially firewall and other network logs. Using Cribl’s aggregation and drop functions, we were able to significantly reduce the noise. We send a full copy of the raw data to S3 or another data lake, while only the reduced logs are sent to the SIEM.

Another major value we gained from Cribl was how quickly and efficiently our data pipeline became. Previously, onboarding new sources or clients was a challenge. Now, the process is semi-automated and far more streamlined compared to what we had before.

One area that could be improved is the aggregation functionality within Cribl. It's very difficult to aggregate low-volume logs because the worker processes don't share state. Since each worker process initiates separately, it becomes very challenging for aggregation to maintain a consistent state across them. As a result, aggregation becomes problematic, with different worker processes operating in different states while pulling data. A good improvement to the aggregation functionality would be if most of these events could somehow land in a central processing unit or repository, where aggregation could be applied before the data is sent downstream.

I've been using Cribl for over three years now.

I can confidently say we’re finally getting some good sleep. Before Cribl, we were constantly getting late-night calls about data flow interruptions. Migrating from those SC4S servers to Cribl worker nodes has truly been a game-changer.

In terms of scale, Cribl scales very efficiently because we do horizontal scaling. If we have a burst in data sources or an increase in data sources, all we have to do is add a new worker nodes, and usually that solves the problem.

The customer service and the technical support team at Cribl has been very helpful to us. We've had some really unique cases where sometimes they would refer us to professional services, but they would come back with solutions from someone who may have run into that similar issue and provide us with a solution without having to go through professional services. This has been very helpful.

Prior to Cribl, we were using SC4S, which had a syslog-ng engine, and we were doing a lot of manual work, especially when we had new data sources. We had to build something that didn't have a pre-built template within SC4S; it was a challenge to build out templates for it, especially with new folks joining the team sometimes who didn't have any clue about where these things were being kept. It was a huge challenge for us to build those templates for data sources that didn't have any templates at all.

We also had our heavy forwarders, which we were writing transformations and props to help us reduce data. It wasn't doing quite a very good job, and Cribl had some of these advanced functionalities such as aggregation and those drop functions, which was very easy to configure, whereas in the past with the heavy forwarders, it was very hard sometimes to even build transformations to do the same thing.

When deploying Cribl, the process went very smooth because we had a Cribl engineer on our side who helped us significantly.

In terms of pricing, we had a very good deal with Cribl. We were paying very expensive SIEM costs, and introducing Cribl into the picture was able to bring down that cost. We were able to get the setup for the whole Cribl infrastructure at little to no cost, and it definitely brought us significant value and cost savings from that direction. In terms of reduction, we were able to save almost ~40% of our total cost.

Other products that we considered throughout the process included Splunk Ingest Processor, and we did a POC on that as well. Some of the positive aspects about the Ingest Processor was that it was right at the edge of your Splunk deployment and therefore there isn't any need to deploy or reshift your infrastructure; it actually goes right into it and then feeds into your Splunk environment. In terms of the disadvantages of Splunk Ingest Processor, it has very limited functionalities compared to what we were getting from Cribl. Cribl gives us the aggregation functionality, which was a huge win for us, being able to aggregate all the events brought us huge reductions, and also the drop functionality and some really advanced functionality within the Cribl tool itself.

Based on my experience, the advice I would give to other companies considering Cribl is that your decision should be very specific to your use case but do not underestimate the amount of data you're dealing with. Data will continue to grow over time, and a tool like Cribl can significantly help reduce costs before the data is sent downstream.

Another important consideration is whether you need to send data to multiple destinations. This was a challenge for us previously, and Cribl helped simplify that process. My advice to companies is: if you're drowning in data and cost, Cribl is essential. It gives you full control over your data and makes management much easier.

As an organization, we've adopted AI heavily and integrated it into many of the tools we use today. We're actively looking to bring similar capabilities into Cribl. It's already in our pipeline, and we see strong potential in using AI to streamline how we build Packs and Pipelines. With AI integrated, we believe it could significantly reduce the time admins spend building specific pipelines for various data sources.

On a scale of one to ten, I would rate Cribl a solid nine based on what we use it for today and the value it delivers.

I use Cribl with all of my customers that I manage services for. It's how I get their third-party log sources into Microsoft Sentinel.

We save about 75% percent of our costs by processing network and firewall logs through Cribl. This is largely due to the compression and duplication that exists within those logs. They tend to be very noisy, and most of the information isn’t useful from a security standpoint. While some of the data might be valuable to other departments, we don’t need to store all that extra information. By removing these unnecessary details, we quickly reduce our data retention costs by 75%.

Cribl makes it very easy to contain data cost and complexity. As far as complexity is concerned, there might be manual ways to do it in other products, but not with the ease and durability. It remains the same, whereas you might try to put a patchwork of other things together to get the same result. In terms of controlling costs, we achieve about 75% savings on data storage, which is fantastic. However, it’s worth noting that Cribl is not free, so we do pay for it to realize these savings. As long as Cribl doesn’t increase their prices too steeply or too quickly, we should be fine in terms of managing our costs.

Cribl definitely handles high volumes of diverse data types. Anything from firewall logs, endpoint security logs, to Windows event logs can become very noisy, especially in large environments. I've not had an issue with Cribl dropping logs. Occasionally there could be a short-term outage, but that's definitely very rare.

My favorite feature is Cribl Stream. That's probably the only Cribl product I have a lot of experience with, and Cribl Stream makes it very easy to identify where all the customer's log sources are and to quickly connect them to a destination source such as Microsoft Sentinel and Microsoft Azure Data Storage.

Cribl Stream does two things: not only does it make it easy to connect one log source or one dataset to multiple storage locations, but it also has compression features, which greatly reduce the storage cost for that data. It strips out and compresses data so that only the absolute information remains and not any duplicates. Dual destination and compression are the two top features.

I would Cribl to become more Microsoft-focused. A lot of my work is in the Microsoft environment. Cribl supports all of these other platforms out there, and they seem to be developing a lot for CrowdStrike. I'd prefer to see some Microsoft-specific connectors built inside of Cribl.

I have been using Cribl for about two years now. They've only been around for about four years, so I've been using them for half of their existence.

The performance and stability of Cribl are fantastic. The uptime is 99.9%. We are realizing all of the cost savings promised, and there are no failures.

Scalability is easy because we can just go into the portal and add a new log source. If we onboard a new firewall or something we want to collect logs on, we can quickly implement that. I don't need to talk to a Cribl engineer to connect a new log source. The only requirement might be purchasing more Cribl credits if I'm running low because I'm asking it to do more than originally specified.

We've engaged their customer service and support, and anytime there's an outage, they've been very receptive. They've quickly escalated our tickets and helped us get resolution. We've never felt we were waiting for a response or that they didn't know what was going on. I think it's maybe because we were an early customer. I would assume it's the same for all customers, but we've gotten great treatment.

I would give them a 10 out of 10 for support. They are very responsive. We deal with a lot of other cloud solution providers who have tried to save money on support. It could be that because Cribl is new and they really want to make sure all new customers are being successful, but we really hope this continues. We don't feel we're alone.

The only alternative I can compare Cribl to would be Azure Data Transformation, Azure Data Time configuration rules and policies, basically making the storage source sort the data, and that is very painful. I don't see any next-best options when it comes to Cribl. They seem to be a leader and standing alone in their service offering, specific to Cribl Stream. For other products such as Cribl Lake, there's now Microsoft Sentinel Lake, which is a competitor, and I haven't really analyzed the pricing to see how competitive that is. But regarding Cribl Stream, there's no close competitor. The closest is extremely painful, requiring about 20 pages of configuration to even get close.

It's straightforward. They have a really nice user interface, and their service engineers will guide you through the initial setup. Since they are compensated based on product usage, they ensure that we are properly onboarded and that our experience is as successful as possible.

To deploy Cribl probably took an hour. Identifying all the different log sources that we wanted to bring in took about another eight hours of human work as it was a data exercise of determining which log sources are important to us, and where we can get the best compression or data size reduction. You can connect to them all automatically, but you want to have the thought process of which ones matter and what actual data you need.

It does not require any maintenance on my end. The big thing is just checking connector health to make sure everything is running and that logs aren't dropping and that there haven't been any changes. In case there's any outage, putting in a ticket for any outage issues is very minimal. It's set it and forget it, and then just monitor to make sure nothing's bad or nothing has gone wrong.

We're a large organization, so we have a team of about five people who worked on the deployment of Cribl. I'm sure smaller organizations could use a lot less. We probably could have gotten away with two or three people. Not to say one person couldn't do it, but it's always good to have another person putting eyes on the process just so that we don't have a single point of failure.

The pricing has been increasing year-over-year, and I understand that the cost of business continues to grow. The cost of log retention and all the aspects they're fighting against, they are also a victim of. It is a concern that I'm watching as they raise prices about 10% year-over-year. I am still observing significant cost savings, although the amount of savings is gradually decreasing. Additionally, they are currently the sole provider of this type of solution, which means they face no competitive threats.

I would rate Cribl a ten out of ten. I truly appreciate them as partners. They genuinely feel like they're with us on this journey to manage the increasing volume of data. It's been exciting to watch them grow. At first, I thought I was a bit of a nerd for being an early adopter, but seeing so many others come on board after us reassures me that we made the right decision.

I am using Cribl to have everything centralized in one tool in terms of data collection. We were working with different Splunk customers, and Cribl helps collect data and then send it to an S3 bucket or Amazon Web Services (AWS) response plan.

Cribl allows us to enforce security for some customers. For instance, if they want to add fields, values, or need to change formats to comply with different security standards, Cribl makes it possible.

My favorite option in Cribl is the Stream product. It is the best use case for us and our customers. Additionally, the community on Slack is excellent for solving questions and getting ideas.

At the moment, I don't have specific feedback on what can be improved as I do not work with Cribl daily. Perhaps more flexibility in terms of metrics would be helpful.

I have been using Cribl for about two years, more or less.

From my experience, I did not face issues with Cribl's stability. However, I heard others have faced issues.

In my experience, Cribl has been perfect in terms of scalability. I did not have any issues.

I haven't contacted them in terms of paid support. That said, the community, including the engineering and sales teams, is available on Slack and is very supportive.

The initial setup is really straightforward, and the documentation is very good.

I am not aware of the pricing details, however, I know they use a credit format for billing.

Utilize the documentation to ensure Cribl fits your use case, and join the Cribl community for any questions or recommendations.

I'd rate the solution ten out of ten.

In this particular situation, we use Cribl to deploy data to various destinations. My role is to create and analyze data and deploy it to the appropriate location required by the organization. I also monitor data to manipulate or adjust it as needed. Additionally, we use it to amend or remove some lookup in the data or to add some phrases, ensuring it meets the organization's requirements. Overall, we use it for daily data management activities.

Cribl makes the work easier by providing a straightforward way to deploy data from the source to the destination without much coding. It is valuable for resizing data, increasing process complexity, and enhancing deployment availability. It simplifies the process of sending data to various destinations while providing options to block certain destinations, which is more efficient compared to other applications that require deploying data one at a time.

Features such as Cribl Stream, Cribl LogStream, and Cribl Edge have been the most beneficial. The Cribl LogStream, in particular, is valuable for routing data, creating firewalls on pipelines, and putting security measures in place to ensure data reaches its destination without issues.

Cribl should consider adding more features that are applicable to smaller firms, allowing broader access to their data migration through Cribl. Additionally, there's room for more enhancement concerning the desktop server so tasks can be processed more directly.

I worked with Cribl for about eight months, and I stopped working on a specific project with it five months ago.

Cribl has been stable. Even when issues arise, having a KPI knowledge allows us to address challenges without significant difficulties.

Cribl is very scalable, and I'm looking forward to continuing to work with it for a long time due to its ability to upgrade and improve continuously.

I would rate Cribl's customer service and technical support as nine and a half out of ten. We have worked with various teams to address some issues, and the support has been exceptional.

Previously, I worked with Azure Active Directory and other applications to handle tasks such as Azure DBN, data deployment, and subscription management

The initial setup of Cribl was straightforward, often taking as little as thirty minutes for deployment. Cribl has QuickConnect features that simplify the process significantly. However, we preferred using routing and pipelines for more control and security measures.

Working with the relevant implementation teams, including the network and SOC teams, ensured that deployment and maintenance processes were completed smoothly.

For now, I haven't seen a return on investment with Cribl, particularly in terms of processing time and cost-saving.

Cribl offers a reduction in pricing, up to thirty percent, which is beneficial. Although I'm not involved in licensing, I know that the price reduction is accurate and well-received.

There are other solutions like Azure and Splunk, and each has its strengths. Cribl stands out due to its streaming data model and integration for security use.

I would recommend Cribl to organizations facing data challenges due to its perfect security measures and ease of use. It offers a simple, fast, and efficient solution.

We use Cribl for multiple purposes. One key use is migration to Splunk Cloud. Traditionally, we used Splunk as an intermediate forwarder but switched to Cribl for this role. Cribl collects and sends the logs directly to the cloud, forwarding all data to Splunk Cloud.

Another advantage is the ability to extract only the necessary data visually rather than handling it in Splunk's Props. You can see the changes you're making and directly onboard specific logs, avoiding the need to onboard all data.

Additionally, Cribl offers other valuable features. For instance, you can replay data from an edge device, store your daily data in a stream, and replay specific event data into Splunk if a security incident occurs. This targeted replay allows for analysis without onboarding all data into Splunk, providing a significant cost-saving benefit.

You deploy the pops and see it effectively on the page. There are functions that you can deploy in the pipeline, and you can sample that particular function. For instance, if I'm deploying a function like an A or JSON function, I can test it live before deploying it into production. This allows us to play with the data and verify if the outcome is as expected, ensuring that the processed data matches the anticipated raw data amount.

Additionally, if you want to push an upgrade in the recent four-star version, you can update all other worker groups directly from the master rather than updating each part separately. You can instruct the master to push the update to all other workers, eliminating the need to push the update to individual nodes.

Cribl has a good community base, but unlike some vendors like Splunk, which has many TAs, Cribl doesn't have as many packs available. They need to focus on developing more custom packs for various vendors so that their solutions can be used more effectively. This will help users identify which logs are necessary and which are not.

I have been using Cribl for the past three years. We are using the V4.1.2 of the solution.

Cribl is a pretty stable product.

Support is quite good. If you notice an issue and report a case, they respond promptly. If there is a problem, they raise it internally, develop a fix, and push it to production immediately. Their turnaround time is also critical.

The initial setup is easy if it is planned.

It's cheaper than Splunk.

Cribl has had a positive impact on reducing the need for multiple support services. It simplifies collecting log data from various cloud vendors in a single place, which is much easier than configuring, managing, and maintaining a database for a Splunk add-on. Cribl has made it easier to handle log data.

It takes about two months to get fully up to speed. Cribl provides free training and offers sandboxes for practice, allowing you to gain the necessary knowledge. Once trained, you can start working right away.

Overall, I rate the solution a ten out of ten.