Cribl Reviews

Our use cases that we are exploring Cribl for right now are for data parsing and data manipulation.

The feature I appreciate most about Cribl is that it is really easy to use and quick to replicate data models on different data sets. We have over 1,000 log sources, and currently, we have to configure them individually with their own architecture. Cribl allows us to do a copy and paste architecture and saves us a lot of development time. It also makes it easy to add any sort of extra data parsing to specific lines. Ease of use is really our biggest benefit from it.

Something that Cribl could do better is processing time. There is not enough customization to improve performance. An example would be with AWS Lambda functions, the way we were doing it before. There are different strategies where the way we code it could save us more processing time and still have the same price. With Cribl, it is very much set in its ways. If you want better performance, then you have to pay for more resources.

The UI is a very beneficial thing that saves us a ton of time. I mentioned the copy and paste approach and little to no code anymore, as it is all UI interface-based now. There is little to no code that we do other than regex commands. If there was still some aspect of being able to add our own code, we could potentially get better performance. I understand this is the whole use case of Cribl, to remove the technical need aspect. You do not need as many experienced developers; you will pay for software and have to hire an analyst instead of an engineer and save money on wages. For how good the tool is, it would be nice to still have that data engineering aspect.

I have not been using Cribl in my career. We are a company that is interested in investing in it at the moment. However, we do have several teams that have used it and we have also had access to a dev workspace that we have used.

I have not had any issues. So far, everything has been good.

It is pretty scalable, just in terms of cost. If you have any problems, it is probably going to be more about having to pay for more resources.

Currently, we are using Logstash, and we are also exploring a POC with DataBahn. DataBahn is a newer company. They are not as sophisticated as Cribl, and the performance is probably not there, but they make up for it in cost.

Being new to Cribl, the setup was very easy.

For us, it could have been done with one person, but we had different team members involved just for exposure because we were onboarding it with many people. It could have been a one-person implementation, but two to three people would have been a good healthy number.

The current pricing is a little bit above average.

We are using around 25% of what Cribl offers, mainly focusing on log parsing, which is what Cribl started with. We use AWS as our main source of ingestion.

There is little flexibility in pricing. It is simply the market price, and you either pay it or you do not. Cribl has significant capacity to handle high volumes of diverse data types, such as logs and metrics. Cribl can handle almost anything we throw at it, as lonthe g as budget is not an issue.

There is a team in my company that uses them, but they are part of a separate company. We do not have any partnership with them yet.

On a scale of 1-10, I rate Cribl an 8.

We use Cribl Stream to collect logs from multiple sources, transform and enrich them, filter out unnecessary data before sending them to SIEM. We also use Cribl to route logging to data lake.

Since we started using Cribl, it’s made a huge difference for us. We spend a lot less time building and maintaining things, so the team can focus on the security work that really matters and brings value. Plus, by filtering out all the noisy data we don’t need, we’ve been able to cut costs and make our data a lot cleaner.

One of the biggest things I love about Cribl is that you can actually see the output in real time before you push anything to production. The UI makes it super easy to work with, and honestly, it saves a ton of time. Plus, it’s way easier to collaborate—everyone’s on the same page, and you’re not guessing what the data’s gonna look like once it’s live

So since we’re handling a ton of data, I think we could really benefit from a more integrated or connected way to manage it all. Like, if there is a way to better track data lineage, metadata, those can help with knowledge transfer.

A couple of months

I haven’t ran into issue yet

I can’t really speak to scalability yet. So far I don’t have any problem with it.

The technical support is good. I'm happy with that.

Positive

We have used something similar before, which was Logstash.

Not sure

I think the pricing for Cribl is reasonable. For large usage, but I heard the calculation of those credits is a bit complicated.

We did, but Cribl just felt more mature and well-established. I think that’s the reason why we selected it.

Cribl gives us way more control and flexibility than we ever had before. We deal with massive volumes of telemetry data, and honestly, a lot of it is just noise. Cribl allow us to easily filter, transform, and route that data exactly how we want. It’s made a big difference.

I am using Cribl to have everything centralized in one tool in terms of data collection. We were working with different Splunk customers, and Cribl helps collect data and then send it to an S3 bucket or Amazon Web Services (AWS) response plan.

Cribl allows us to enforce security for some customers. For instance, if they want to add fields, values, or need to change formats to comply with different security standards, Cribl makes it possible.

My favorite option in Cribl is the Stream product. It is the best use case for us and our customers. Additionally, the community on Slack is excellent for solving questions and getting ideas.

At the moment, I don't have specific feedback on what can be improved as I do not work with Cribl daily. Perhaps more flexibility in terms of metrics would be helpful.

I have been using Cribl for about two years, more or less.

From my experience, I did not face issues with Cribl's stability. However, I heard others have faced issues.

In my experience, Cribl has been perfect in terms of scalability. I did not have any issues.

I haven't contacted them in terms of paid support. That said, the community, including the engineering and sales teams, is available on Slack and is very supportive.

Positive

The initial setup is really straightforward, and the documentation is very good.

I am not aware of the pricing details, however, I know they use a credit format for billing.

Utilize the documentation to ensure Cribl fits your use case, and join the Cribl community for any questions or recommendations.

I'd rate the solution ten out of ten.

We were one of the first customers when Cribl launched. Around 10% to 20% of Cribl had already been implemented when I joined. My role involved expanding it to 100% of our incoming logs being processed through Cribl. Our primary use case was to collect logs from various cloud sources. We also planned to migrate and optimize our usage, as we now handle a significant volume, about 15 TB, with enterprise licensing.

Cribl played a crucial role in reducing costs and improving efficiency, though we’re still fully realizing those benefits. We have now implemented Cribl as our primary log collection endpoint. We use it alongside Splunk, aiming to reduce licensing costs while taking advantage of Cribl's streamlined log collection features.

Once Cribl is fully integrated, we plan to segregate data—moving less critical logs, like test and non-production logs, to open-source solutions to further reduce licensing costs. In our hybrid environment, with enterprise and open-source tools, Cribl has simplified the process. We've successfully used it to migrate our enterprise logs to the cloud, and this migration is ongoing. Cribl has been instrumental in ensuring that these changes do not disrupt our production systems and has made the migration between different log management tools, including Splunk and others like Microsoft Sentinel or Datadog, much smoother.

One of the main benefits is the simplified log collection from multiple sources. Cribl offers easy plugin configurations and source collection settings, allowing us to collect logs from any source. We can test by passing sample logs without needing a separate test environment, unlike in Splunk, where onboarding data requires a non-prod environment and multiple validations before moving to production. Cribl significantly reduces the time required by allowing us to upload samples, perform parsing and field extractions, and commit directly to production.

Cribl has simplified many aspects of the onboarding process, but there's still room for improvement. Currently, no other tools in the market truly compete with Cribl in its niche. Splunk is trying to retain customers by developing ingest actions to reduce licensing costs, hoping to prevent them from switching to Cribl.

There is no alerting mechanism for the leader/worker nodes status.

Since Cribl plays a major role in the mid-layer between the source and destination, there's a slight risk of losing data at some points while receiving real time data.

It would be helpful if Cribl could temporarily store or index the data for a specific time range. This would prevent data loss during downtime. Additionally, there's room for improvement in how Cribl handles historical data. Currently, I can't view trends beyond a week, and even then, it’s often limited to just 24 hours. Since Cribl doesn’t index the data but only forwards it, extending the period for viewing statistics and monitoring trends would be a valuable enhancement.

I have been using Cribl for around two and a half years. We are using V4.1.2 of the solution.

We've encountered some minor bugs, particularly in data parsing. However, these were quickly addressed in the next version. It is a stable product with ongoing development that reflects steady improvement.

Ten members use this solution from both on-site and off-site.

The support we've received over the last two years has been good. Whenever I've raised a case, they've addressed it based on the priority level and have been consistently supportive.

Positive

Cribl can collect data from any source straightforwardly without disrupting the existing logging setup—minor changes are needed to point the logs to Cribl. One of the main reasons we adopted Cribl was to reduce our Splunk licensing costs, which has been very effective. The cost savings from using Cribl versus the reduced licensing fees for our enterprise setup are significant.

In the first implementation phase, we saw noticeable results in reduced licensing costs. As management pushed for further cost savings by incorporating open-source solutions, Cribl was crucial in ensuring a smooth transition. Whether migrating from one tool to another, splitting, or moving from enterprise to cloud, Cribl has made these transitions seamless.

The initial setup with Cribl is much easier. Upgrading versions, especially in cloud environments, is almost a single-click process. Upgrading is also straightforward for on-premises setups—updating the leader node automatically distributes the upgrade to all worker groups and nodes. This makes upgrading, maintaining, and installing Cribl relatively simple compared to other tools.

Additionally, Cribl offers free training for users and administrators. The existing learning materials are comprehensive enough to support effective use and deployment.

Compared to other enterprise solutions, Cribl tends to be more cost-effective. While other major players can be quite expensive, especially as data volumes increase over time, Cribl offers a fair pricing model. As organizations continue to generate larger amounts of data daily, it's important for large enterprise solutions to reconsider their pricing structures and potentially offer better deals for larger data needs. Cribl is not the cheapest option but provides good value, given its scalability and efficiency.

The first thing to consider is the amount of data you're dealing with. Cribl is particularly beneficial for large-scale data environments. It allows you to process and store data efficiently, similar to how Splunk uses summary indexes. For example, when pulling raw events into Splunk, we often extract relevant logs using data models to simplify the data. Cribl enables a similar approach by letting you directly parse and filter data. If you have a raw event with hundreds of fields but only need 40% of those for day-to-day operations, Cribl lets you create multiple pipelines to extract the necessary data for your enterprise and production servers.

At the same time, you can save a complete copy of the raw events in data lakes or local storage without affecting daily operations. If a security incident arises and the extracted fields don’t provide enough information, Cribl’s replay feature allows you to retrieve and analyze the raw data for a specific time range. This capability is handy when handling terabytes of data per day. When someone asks if Cribl is right for their needs, my first question is about the size of the data they're dealing with.

Overall, I rate the solution a ten out of ten.

We use Cribl Stream as a pipeline mid-tier solution. One use case involves curating logs for various reasons, such as reducing log size, redaction, and ensuring proper data ingestion across multiple end systems. 

The platform's most valuable feature is the ability to transform data in real-time within the pipeline without sending it to a destination. This flexibility allows me to make necessary changes to the data in real time. 

Additionally, it offers powerful functionalities for data reduction, masking, and adding intelligence. The inbuilt packs also ease the work by providing ready-to-use functions.

Cribl could improve by offering easier integrations with enterprise products, similar to what Splunk provides. 

I started using Cribl in 2018 for a proof of concept with one of my clients.

I haven't experienced stability issues. The solution has mechanisms to handle persistent queuing and other potential problems, which helps prevent crashes or downtime.

The product is highly scalable. Deploying a node is quick and easy, often taking just fifteen minutes. You can automate the process using a CI/CD pipeline.

I have contacted the technical support team. My experience has been mixed; sometimes, the support is excellent, quick, and knowledgeable, while other times, it has been less effective.

Neutral

The setup was straightforward, as Cribl is similar to Splunk in terms of installation and management. It takes about 30 minutes to an hour to complete, though creating routes and pipelines takes additional time.

One person can handle the installation itself. The UI is user-friendly, making it manageable for an individual. However, having a team with development knowledge could be beneficial for creating routes and pipelines.

Initially, I had Cribl professional services to guide me through the setup. However, given my experience with Splunk, I could handle the deployment after the initial guidance.

The product pricing is reasonable compared to other solutions like Splunk. It offers good value, especially considering the potential savings on other licenses, such as those for Splunk.

For new users, it is advisable to complete their certification. They have an extensive and very good set of online courses, so doing these and completing the certification will give you a good start. If you’re a new user, this would be your first place to go. It will give you a good launchpad for managing and using it.

I rate it an eight.  

In this particular situation, we use Cribl to deploy data to various destinations. My role is to create and analyze data and deploy it to the appropriate location required by the organization. I also monitor data to manipulate or adjust it as needed. Additionally, we use it to amend or remove some lookup in the data or to add some phrases, ensuring it meets the organization's requirements. Overall, we use it for daily data management activities.

Cribl makes the work easier by providing a straightforward way to deploy data from the source to the destination without much coding. It is valuable for resizing data, increasing process complexity, and enhancing deployment availability. It simplifies the process of sending data to various destinations while providing options to block certain destinations, which is more efficient compared to other applications that require deploying data one at a time.

Features such as Cribl Stream, Cribl LogStream, and Cribl Edge have been the most beneficial. The Cribl LogStream, in particular, is valuable for routing data, creating firewalls on pipelines, and putting security measures in place to ensure data reaches its destination without issues.

Cribl should consider adding more features that are applicable to smaller firms, allowing broader access to their data migration through Cribl. Additionally, there's room for more enhancement concerning the desktop server so tasks can be processed more directly.

I worked with Cribl for about eight months, and I stopped working on a specific project with it five months ago.

Cribl has been stable. Even when issues arise, having a KPI knowledge allows us to address challenges without significant difficulties.

Cribl is very scalable, and I'm looking forward to continuing to work with it for a long time due to its ability to upgrade and improve continuously.

I would rate Cribl's customer service and technical support as nine and a half out of ten. We have worked with various teams to address some issues, and the support has been exceptional.

Positive

Previously, I worked with Azure Active Directory and other applications to handle tasks such as Azure DBN, data deployment, and subscription management

The initial setup of Cribl was straightforward, often taking as little as thirty minutes for deployment. Cribl has QuickConnect features that simplify the process significantly. However, we preferred using routing and pipelines for more control and security measures.

Working with the relevant implementation teams, including the network and SOC teams, ensured that deployment and maintenance processes were completed smoothly.

For now, I haven't seen a return on investment with Cribl, particularly in terms of processing time and cost-saving.

Cribl offers a reduction in pricing, up to thirty percent, which is beneficial. Although I'm not involved in licensing, I know that the price reduction is accurate and well-received.

There are other solutions like Azure and Splunk, and each has its strengths. Cribl stands out due to its streaming data model and integration for security use.

I would recommend Cribl to organizations facing data challenges due to its perfect security measures and ease of use. It offers a simple, fast, and efficient solution.

Entire logs from my organization go through Cribl and get routed to Splunk and various other destinations. I use it on a large scale in my organization. Cribl Stream is one of my favorite parts. I use Cribl to route the logs to various destinations. It helped us to completely remove the monopoly on Splunk. Not only firewall logs, but also cloud trail logs and many other logs were processed through Cribl.

It helped us to completely remove the monopoly on Splunk, as we previously couldn't have any control over logs and how to optimize them. When we had Cribl in place, it provided a vision and a platform for us to control what we send and how we send it in terms of data passing, data enrichment, and many more things, with massaging the data. It also helped us to open up to many tools where we could send the data to various destinations, as it is vendor-agnostic.

Cribl Stream is good, but I feel they could develop more products apart from Cribl Stream for my use case. I know Search is coming and Data Lake is there, but there can be more innovations in Cribl. They had one good product, which is Cribl Stream, which appears to be the primary revenue source for the company, but there may be many other use cases. They could explore OTel and how to connect with DynaTrace. They are looking specifically for logging, but expanding into metrics and APM would also help.

I have been using Cribl for the past three to four years.

On-premises deployment is something which customers take care of themselves. Earlier versions had quite a few issues, but there are more stable versions now, so it is a good time to start using Cribl.

They are very scalable and good.

They are very good in terms of solving issues. Regarding availability over other time zones, since it is mostly focused on Europe and US, they are starting to build up in New Zealand and other places.

I tried a few other alternatives as POCs, but none of them worked out as effectively as Cribl.

We worked on it for six months. Our infrastructure is complex, so it took almost six months, a couple of quarters.

If you have a good architect and a couple of Cribl staff members to assist, three persons can handle the implementation.

It is feasible and doable. Compared to Splunk, Cribl is cheaper.

Pricing is feasible and doable. Compared to Splunk, Cribl is cheaper.

I tried a few other alternatives as POCs, but none of them worked out as effectively as Cribl.

It has been able to perform to the best of its capabilities. They are able to handle everything with their non-shared architecture. On a scale of 1-10, I would rate Cribl a solid nine.

We've encountered several challenges, but what's most promising and encouraging is Cribl's scalability. The architecture is impressive, and it distributes work across all worker nodes and communicates with the leader.

There have been several administrative issues. Another point is that the browsing functions aren't very intuitive.

The most challenging aspect is the versioning system. Everyone can see and potentially deploy each other's changes in a team of developers. Unlike traditional versioning systems, where you work in isolated feature branches and only merge changes after reviewing conflicts, Cribl's versioning system requires careful management because everyone works on the same repository. 

I work with a team that includes both experienced and less experienced developers. Though new to this technology, the two senior developers have extensive experience with various other technologies and can get up to speed relatively quickly with the available training. The less experienced developers face significant challenges. They struggle to understand the system, suggesting it may not be intuitive.

I have been using Cribl for two years.

I rate the solution’s stability a seven out of ten.

10-15 people are using this solution.

Everything works, but it required a lot of support. The setup wasn't easy, but the support team was very helpful and managed to get everything production-ready. 

Setting up Cribl for basic training is straightforward and effective. You can easily configure it on your laptop by downloading the binaries and using simple command-line instructions to set it up in different modes, like leader, edge node, or single deployment. Adding a worker node is also simple; just run a script generated in the UI, and it's up and running.

The enterprise setup process is more complex, and there are significant documentation challenges. Despite the system eventually being available, the process involved many support calls and workarounds. Getting everything set up for a production-ready enterprise deployment was long and challenging.

In some of the projects I've been working on, we're still testing and exploring Cribl's capabilities. We haven't established specific business goals or fixed objectives yet. Currently, we're focused on ingesting data from various sources with minimal transformation to understand how Cribl handles different types of logs and data.

I encounter issues with the UI not accurately reflecting the current status. For example, the UI might show that a worker is still fetching the latest version of the code, but after refreshing the page, it usually updates to show that everything is up and running. Over time, I've learned to recognize when the UI is not displaying the correct information and use the refresh button to get the accurate status.

Overall, I rate the solution a six out of ten.