Cribl Reviews

We use Cribl for data normalization, which involves standardizing data from various sources before sending it to a SIEM. This helps reduce costs associated with SIEM ingestion. Additionally, we use Cribl to sanitize data by removing or masking sensitive information from certain fields.

Cribl filters out unnecessary events and data, and we reduced the costs associated with SIEM ingestion.

You can use Cribl to route the same data to different destinations. For instance, if a company uses multiple SIEMs and needs data in each, Cribl makes it easy to direct that data to various destinations. Setting up API connections to get data into the platform is easy. Cribl offers a cloud version, allowing different workspaces to segregate various functions within a company or organization.

The documentation part could be better. Their documentation could be updated, as new features often outdated existing information. Additionally, there are inconsistencies between the documentation for Cribl Cloud and Cribl on-premises. This can be confusing, as features may differ, leading to potential misunderstandings if you use documentation intended for one version while working with another. Consolidating and improving the clarity of the Cribl Cloud documentation would be very helpful.

I have been using Cribl for a year and a half.

It is highly scalable. If you need more cloud worker groups, you're just a click or two away from doing that at extra cost.

Depending on the license, we usually provide a Customer Success Manager to assist with any questions or issues when onboarding Cribl. They are very responsive, and their support is quite helpful.

Neutral

We employed a hybrid strategy, setting up Cribl Cloud as the head node in their environment. For data processing, we used worker nodes within the client’s environment, which are closer to the data sources. This setup allowed us to process data locally before sending it to our destination. For cloud assets, such as SaaS applications like Salesforce, we used the cloud-hosted Cribl instance to handle that information. Meanwhile, the on-premises data was processed by the hybrid worker nodes.

We encountered delays due to third-party issues, extending the timeline to six to seven months. Without these issues, it likely would have taken around three months, depending on the speed of obtaining API keys, authorizations from networking teams, and other factors. Under ideal circumstances, a three-month timeframe would be more accurate.

You need to maintain the pipeline, which includes data processing, before it reaches its destination. When onboarding new data, managing and rotating API keys as needed is important. Maintaining these aspects ensures faster and more efficient deployments.

If you want to reduce log ingestion or route data to multiple destinations, consider using an on-premises or cloud solution. Your choice will depend on your organization’s network constraints. For example, if critical assets on your network need to connect to the internet, your network team might have restrictions. Weigh the benefits of cloud versus on-premises options to determine what best fits your needs.

With less data coming into our system, we can now run queries faster since we're not processing as much data as before. The reduction has made our queries more efficient because we're working with more streamlined data.

The quick connects are great for testing and allow you to rapidly set up a proof of concept, which is very beneficial. They can also be useful in production environments. Another significant feature is the recent Sentinel integration. The provided pack simplifies the setup process, making it much easier than the previous method, where you had to manually handle tasks like finding API keys. This integration makes the setup much more efficient.

Overall, I rate the solution a seven out of ten.

My primary use case for the platform was the internal management of events, parsing, and enriching events based on lookup files. It involved creating sources and destinations, managing data processing, and serializing data.

The solution has streamlined our data management and processing, making handling event data easier and forwarding it to the required destinations. It has provided a robust framework for managing data flows and event parsing, improving our overall efficiency in handling large volumes of data.

The product's most valuable features include the internal management of events, coding perspective, data processing, and serialization.

The product could be improved in terms of its logging and debugging capabilities. The sys logging could be enhanced to make it easier to identify errors, especially when dealing with multiple functions. Additionally, the user interface could be more flexible for advanced customizations.

I have been using Cribl for over one year. In my previous position, I integrated it with Broadview and socket and SNMP for event management, forwarding events to BigPanda via webhook, and writing JavaScript code for event parsing and enrichment.

I rate the stability of this solution as six out of ten. While it is generally stable, issues have affected its reliability, especially with more advanced and customized uses.

The solution is quite scalable. It allows for performance extension by distributing workloads among multiple workers via a load balancer. This architecture supports different customer needs for small-medium companies or larger enterprises.

The support team is good and willing to resolve issues. However, they could improve their understanding of customer requirements.

The initial setup can vary in complexity depending on the integration. It is straightforward for well-defined formats like JSON or XML. However, customized integrations may require significant development effort.

The solution is well-suited for quick integrations and common data processing tasks. However, highly customized integrations might require additional development efforts.

I rate it a seven out of ten. 

We use Cribl for multiple purposes. One key use is migration to Splunk Cloud. Traditionally, we used Splunk as an intermediate forwarder but switched to Cribl for this role. Cribl collects and sends the logs directly to the cloud, forwarding all data to Splunk Cloud. 

Another advantage is the ability to extract only the necessary data visually rather than handling it in Splunk's Props. You can see the changes you're making and directly onboard specific logs, avoiding the need to onboard all data.

Additionally, Cribl offers other valuable features. For instance, you can replay data from an edge device, store your daily data in a stream, and replay specific event data into Splunk if a security incident occurs. This targeted replay allows for analysis without onboarding all data into Splunk, providing a significant cost-saving benefit.

You deploy the pops and see it effectively on the page. There are functions that you can deploy in the pipeline, and you can sample that particular function. For instance, if I'm deploying a function like an A or JSON function, I can test it live before deploying it into production. This allows us to play with the data and verify if the outcome is as expected, ensuring that the processed data matches the anticipated raw data amount. 

Additionally, if you want to push an upgrade in the recent four-star version, you can update all other worker groups directly from the master rather than updating each part separately. You can instruct the master to push the update to all other workers, eliminating the need to push the update to individual nodes.

Cribl has a good community base, but unlike some vendors like Splunk, which has many TAs, Cribl doesn't have as many packs available. They need to focus on developing more custom packs for various vendors so that their solutions can be used more effectively. This will help users identify which logs are necessary and which are not. 

I have been using Cribl for the past three years. We are using the V4.1.2 of the solution.

Cribl is a pretty stable product.

Support is quite good. If you notice an issue and report a case, they respond promptly. If there is a problem, they raise it internally, develop a fix, and push it to production immediately. Their turnaround time is also critical.

The initial setup is easy if it is planned.

It's cheaper than Splunk.

Cribl has had a positive impact on reducing the need for multiple support services. It simplifies collecting log data from various cloud vendors in a single place, which is much easier than configuring, managing, and maintaining a database for a Splunk add-on. Cribl has made it easier to handle log data.

It takes about two months to get fully up to speed. Cribl provides free training and offers sandboxes for practice, allowing you to gain the necessary knowledge. Once trained, you can start working right away.

Overall, I rate the solution a ten out of ten.

I use Cribl to ingest logs from different platforms. These logs could come from sources like Mimecast, Windows, or CrowdStrike logs. It acts as a pipeline to send data to our destinations and also helps in reducing the amount of logs sent by applying different functions on them.

Cribl has helped to save thousands of dollars for our clients. It provides cost-effective solutions, particularly when you know how to use it effectively. It does require some learning to cover all aspects of it because it's not entirely intuitive. However, once you overcome the learning curve and get hands-on with the platform, it significantly contributes to cost savings.

The capability to reduce logs in a user-friendly manner is a standout feature. Cribl allows us to view logs live as they are being processed, giving us quick feedback on the changes made.

Additionally, the data routing feature is beneficial because it gives us the option to send logs through data routes or QuickConnect, facilitating quick configurations of different sources and managing them more effectively. These functionalities offer logical and useful capabilities such as deciding where logs should be sent and specifying which fields should be included within the logs.

There is room for improvement in the documentation and knowledge base, particularly regarding configurations like sources where logs are being ingested. It would be helpful to have specific guidance on configuring different data sources, such as AWS S3 buckets. Additionally, the ability to understand what type of output a function will produce is missing in Cribl, which could be improved by indicating the output type.

I have been using Cribl for more than one and a half years.

Cribl's stability has been well documented online, and we have not encountered any significant stability issues.

We have tested Cribl and found it to be sufficiently scalable for our needs.

At the time I was trying to do the course back then, I did escalate questions to tech support, but I haven't raised any recent issues.

Neutral

I have experience with Splunk and CrowdStrike. I am quite familiar with Splunk.

Cribl is indeed a cost-effective solution, saving thousands of dollars for our clients. It provides value through cost savings and time efficiency once users know how to effectively use the platform.

It's important to know what source you will be using to ingest data into Cribl. Understanding how to configure the data source is key before using the platform. Once you have that figured out, Cribl becomes a powerful solution that can ingest almost anything with its Edge capability. However, having a clear understanding of the pathways you can take to ingest data is crucial before diving into it.