Cribl Reviews

I have been using Cribl for about a year in my career. As a consultant, my job nature involves working with clients and coming up with solutions. Many of my clients are interested in observability, so I evaluated Cribl as a potential tool for their needs. Cribl is a relatively new product, and I have been involved with it since last year.

What I appreciate most about Cribl is that it addresses a major gap in the market compared to the competition. Splunk is extremely expensive, and many of my clients are financial institutions, including big banks, insurance companies, and fintech payment companies in Canada. While they already have Splunk installed, it is costly and sometimes does not meet their needs. Cribl offers significant advantages because from the source, you can collect all the data you want and filter and transform it.

In recent years, many of my clients are focused on fraud prevention, AML compliance, and regulatory requirements. They have numerous MRAs that they need to remediate and show evidence for. Cribl provides better control over data sourcing and allows them to demonstrate good control of their data.

I appreciate that Cribl provides better control of data from the source, which translates to better control over the cost of data and complexity. Many of my clients have sources of data across different platforms, and Cribl allows them to manage data from all these different sources in one place.

One area for improvement would be the certification path for Cribl. I understand there is a need for higher-end certifications, but it would be beneficial to also create certifications that are more accessible for business people or consultants. The current engineer certification is quite rigorous and not easy to pass. While keeping that rigorous option, providing another option for business or consultant users to get certified would be valuable.

I have been using Cribl for about a year.

Regarding stability, I have not experienced any lagging, crashing, or downtime with Cribl.

I believe Cribl is suitable for both large corporations and the small and medium business market. Some of my clients are very large banks in Canada, including one of the largest banks in the country. However, I also work with smaller clients, such as smaller insurance companies. Cribl performs effectively across both market segments.

I have contacted technical support for issues and had a positive experience. I started by opening a ticket from their website. I have dealt with other vendor products in the past where support was unresponsive, but Cribl's support is very good. I was pleasantly surprised by their quality and speed of response. I would rank their support at an eight out of ten, though I acknowledge that I tend to be overly critical.

While I have not personally tried similar solutions, my clients have been using Splunk, which is the most comparable solution they have relied on for a long time.

I have not done an actual deployment myself, but my understanding is that the initial deployment is easy.

Regarding maintenance on the client's end, there is some administration required. Standard updates from Cribl, such as security fixes and bug fixes, are typical maintenance tasks. I would need to review the specific details to provide a more comprehensive answer about all required maintenance.

I do not know the exact pricing because as a consultant, I am not privy to the exact numbers my clients are paying. Pricing often includes deals and investments from vendors. However, based on feedback from my clients, Splunk is more expensive, and Cribl appears to be more affordable.

Regarding pricing for Cribl, I cannot speak to exact numbers because as a consultant, the clients handle the financial details. Deals between vendors like Splunk and Cribl often involve special investments, so the pricing varies. Based on what my clients have shared, Splunk is significantly more expensive, and Cribl appears to offer better value.

I contacted technical support for issues and had a very positive experience. I would give this review an overall rating of eight out of ten.

Cribl is used to manage routing of different log systems and vulnerability type log scanning and retention, which is then re-routed to log retention servers. Firewall logs are sent directly from firewalls into Splunk, which is where Cribl also sends data, so Cribl is bypassed for firewalls. Cribl is primarily utilized for internal servers, systems, and endpoints.

The ability to make different variations and adjustments within Cribl to scan for specific items or to get an overall scan is valuable. Cribl's ability to contain data cost and complexity makes the system much easier to use. The cost is higher than preferred, but it is considered the cost of doing business. Data ingestion costs increase with higher ingestion levels, but by maintaining similar or lower levels and refining tuning and ingestion as it comes, costs have been maintained and remain within expectations.

Cribl's interface is user-friendly and easy to learn, making it simple to teach new users how to use it.

Cribl handles a high volume of diverse data types very well, such as logs and metrics. However, the endpoint plug-in tool can use some refinement, as it tends to hit system resources and can sometimes be detrimental to systems to the point where it must be turned off and a scan restarted when a user is offline.

Outside of the endpoint issue, there may not be much that Cribl can do better in the program itself. It becomes tedious when one-off fixes are needed because a user submits a ticket complaining that their system is unusable due to Cribl performing a scan.

Cribl has been used for approximately six years in a career, not necessarily on this job only.

No lagging, crashing, downtime, or instability has been observed in Cribl itself, only in the endpoint scanner. The system itself has been very solid.

Cribl is fairly easy to scale. If ingestion levels need to increase or decrease, adding new nodes is not an issue. Adding the endpoint scanner is not difficult and is fairly easy to use and upscale as needed.

Customer support or technical support through a ticket or email has not been contacted personally. The DevOps team, which handles maintenance updates, has contacted support when running into an issue, which may occur once a year if that, so nothing major has been cause for concern.

The initial deployment of Cribl was somewhat tedious due to the environment being specialized and restricted in an air-gapped setup, so everything had to be built on-premise. This made deployment more difficult when unable to reach the internet to get updates. It took some time, but this was strictly due to the restricted environment, as everything had to be placed on a hard drive, brought across, updated, and then troubleshot through that effort.

No alternatives to Cribl have been tried because there has been no need to.

Cribl requires routine updates, with no other real maintenance required. This review is rated an eight out of ten.

I use Cribl with all of my customers that I manage services for. It's how I get their third-party log sources into Microsoft Sentinel.

We save about 75% percent of our costs by processing network and firewall logs through Cribl. This is largely due to the compression and duplication that exists within those logs. They tend to be very noisy, and most of the information isn’t useful from a security standpoint. While some of the data might be valuable to other departments, we don’t need to store all that extra information. By removing these unnecessary details, we quickly reduce our data retention costs by 75%.

Cribl makes it very easy to contain data cost and complexity. As far as complexity is concerned, there might be manual ways to do it in other products, but not with the ease and durability. It remains the same, whereas you might try to put a patchwork of other things together to get the same result. In terms of controlling costs, we achieve about 75% savings on data storage, which is fantastic. However, it’s worth noting that Cribl is not free, so we do pay for it to realize these savings. As long as Cribl doesn’t increase their prices too steeply or too quickly, we should be fine in terms of managing our costs.

Cribl definitely handles high volumes of diverse data types. Anything from firewall logs, endpoint security logs, to Windows event logs can become very noisy, especially in large environments. I've not had an issue with Cribl dropping logs. Occasionally there could be a short-term outage, but that's definitely very rare.

My favorite feature is Cribl Stream. That's probably the only Cribl product I have a lot of experience with, and Cribl Stream makes it very easy to identify where all the customer's log sources are and to quickly connect them to a destination source such as Microsoft Sentinel and Microsoft Azure Data Storage.

Cribl Stream does two things: not only does it make it easy to connect one log source or one dataset to multiple storage locations, but it also has compression features, which greatly reduce the storage cost for that data. It strips out and compresses data so that only the absolute information remains and not any duplicates. Dual destination and compression are the two top features.

I would Cribl to become more Microsoft-focused. A lot of my work is in the Microsoft environment. Cribl supports all of these other platforms out there, and they seem to be developing a lot for CrowdStrike. I'd prefer to see some Microsoft-specific connectors built inside of Cribl.

I have been using Cribl for about two years now. They've only been around for about four years, so I've been using them for half of their existence.

The performance and stability of Cribl are fantastic. The uptime is 99.9%. We are realizing all of the cost savings promised, and there are no failures.

Scalability is easy because we can just go into the portal and add a new log source. If we onboard a new firewall or something we want to collect logs on, we can quickly implement that. I don't need to talk to a Cribl engineer to connect a new log source. The only requirement might be purchasing more Cribl credits if I'm running low because I'm asking it to do more than originally specified.

We've engaged their customer service and support, and anytime there's an outage, they've been very receptive. They've quickly escalated our tickets and helped us get resolution. We've never felt we were waiting for a response or that they didn't know what was going on. I think it's maybe because we were an early customer. I would assume it's the same for all customers, but we've gotten great treatment. 

I would give them a 10 out of 10 for support. They are very responsive. We deal with a lot of other cloud solution providers who have tried to save money on support. It could be that because Cribl is new and they really want to make sure all new customers are being successful, but we really hope this continues. We don't feel we're alone.

The only alternative I can compare Cribl to would be Azure Data Transformation, Azure Data Time configuration rules and policies, basically making the storage source sort the data, and that is very painful. I don't see any next-best options when it comes to Cribl. They seem to be a leader and standing alone in their service offering, specific to Cribl Stream. For other products such as Cribl Lake, there's now Microsoft Sentinel Lake, which is a competitor, and I haven't really analyzed the pricing to see how competitive that is. But regarding Cribl Stream, there's no close competitor. The closest is extremely painful, requiring about 20 pages of configuration to even get close.

It's straightforward. They have a really nice user interface, and their service engineers will guide you through the initial setup. Since they are compensated based on product usage, they ensure that we are properly onboarded and that our experience is as successful as possible.

To deploy Cribl probably took an hour. Identifying all the different log sources that we wanted to bring in took about another eight hours of human work as it was a data exercise of determining which log sources are important to us, and where we can get the best compression or data size reduction. You can connect to them all automatically, but you want to have the thought process of which ones matter and what actual data you need. 

It does not require any maintenance on my end. The big thing is just checking connector health to make sure everything is running and that logs aren't dropping and that there haven't been any changes. In case there's any outage, putting in a ticket for any outage issues is very minimal. It's set it and forget it, and then just monitor to make sure nothing's bad or nothing has gone wrong.

We're a large organization, so we have a team of about five people who worked on the deployment of Cribl. I'm sure smaller organizations could use a lot less. We probably could have gotten away with two or three people. Not to say one person couldn't do it, but it's always good to have another person putting eyes on the process just so that we don't have a single point of failure.

The pricing has been increasing year-over-year, and I understand that the cost of business continues to grow. The cost of log retention and all the aspects they're fighting against, they are also a victim of. It is a concern that I'm watching as they raise prices about 10% year-over-year. I am still observing significant cost savings, although the amount of savings is gradually decreasing. Additionally, they are currently the sole provider of this type of solution, which means they face no competitive threats.

I would rate Cribl a ten out of ten. I truly appreciate them as partners. They genuinely feel like they're with us on this journey to manage the increasing volume of data. It's been exciting to watch them grow. At first, I thought I was a bit of a nerd for being an early adopter, but seeing so many others come on board after us reassures me that we made the right decision.

We work on Splunk, so we use Cribl. Our company works with a system where approximately 12 to 15 TB of data comes daily in Splunk. We don't store the data directly into Splunk; instead, we use Cribl first. By using Cribl, it removes unnecessary data and keeps the important data, which can reduce the size.

My favorite feature is that Cribl is connected with Splunk very easily and it routes the data. The filtering is the most important feature because it removes unwanted logs, and the central control manages everything from one place. Cribl provides pipelines, which process the data step-by-step, so all the features are very useful.

It is very difficult to learn as a beginner.

I sometimes experience downtime, and by that, we sometimes miss logs, which creates a problem, but not for a long time. Sometimes we face these issues.

I have been using Cribl for four months.

I sometimes experience downtime, and by that, we sometimes miss logs, which creates a problem, but not for a long time. Sometimes we face these issues.

I have a very good experience with customer support. When we are in trouble, they give us fast responses and good responses, which is very useful for us.

The initial deployment when I first started using Cribl was not that difficult. As a beginner, I think it is a little difficult, not that much easy. However, once you start learning and become an experienced user, it is very easy. One person can handle the whole setup without needing a large team.

Cribl's interface is very good, and it is easy to understand how to use Cribl. When I started to use Cribl, it wasn't that difficult to learn. I learned how to pass the data into Cribl, so it is easy. Cribl has a good user interface, which makes work easier for me. I would rate this product a 9 out of 10.

My current use cases involve using it as a pipeline to process data, to route data from cloud logs to different repositories. Some data goes to Splunk and others go to different data lakes. I didn't work with the firewall logs directly. We use Cribl to process web activity and route data that we wanted to into Splunk ES to create detections.

What I appreciate the most about Cribl is the free training, the free access to all the training, and how easy it is to learn it. Cribl is great in handling high volumes of diverse data types, such as logs and metrics. It does the job.

The product is very good. They could add more AI-assisted pipeline development in the future release.

I have been using Cribl for six months.

I haven't seen any lagging or crashing with Cribl.

Cribl's scalability is very good.

I have never contacted the technical support or customer support of Cribl.

Positive

The initial deployment when I first started with Cribl was fairly easy, very easy.

We were a team for this job.

I have used alternatives to Cribl. I forgot the name, but it's a CrowdStrike product they just acquired that is the closest one I've used to Cribl in terms of the quality and the features. Currently, I prefer Cribl more than CrowdStrike. I still haven't played much with the other one, but I didn't find any issues with Cribl.

Regarding Cribl's ability to contain data cost and complexity, if they can reduce their cost, that will make them more competitive. However, I don't know what else they can do in regards to how the application works. It's very good.

For the project that I was involved in, it took me probably three weeks to set it up. We had to maintain our pipelines, not because of anything related to Cribl itself, but because the data source changed, so we had to adjust our pipelines. That was the kind of maintenance that we did.

I would rate Cribl a nine out of ten.

Cribl is used for log management and SIEM in terms of optimization of the data that we are collecting.

The flexibility that Cribl provides allows us to manage the data and work with the data effectively.

Implementing Cribl has optimized the infrastructure that we have and is improving the optimization of the services that we are providing.

Other than the Cribl module that we are using, Cribl Search has several modules, so there is room to improve that capability in Cribl.

In Cribl Search, the language and the flexibility in querying the data can be improved because it is not as good as other solutions.

Cribl Search does not currently help search data in place for investigative issues or answer questions across our data stores at this moment because we are not using it at that level yet, but hopefully in the future.

I would advise others looking to implement Cribl that if they are evolving Cribl Search, it would be very interesting to see more capability, more flexibility, and more ways to share the data similar to Splunk.

I have around three and a half years of experience working with Cribl.

Cribl's stability is an eight.

For scalability, I would rate it a ten.

I would rate the technical support as an eight.

I would compare Cribl with other solutions or vendors as mature. We have seen another solution similar but not as mature as Cribl at the moment.

I am talking about the Data Stream Processor from Splunk and also Omnium from Spain.

Cribl is easy to deploy; the team managing the deployment did not report any concerns about the complexity of the deployment of the solution.

The deployment is straightforward; it is just a matter of coordination with other teams, but everything was released in one day.

Regarding the firewall logs with Cribl, the digression of the data that we are experiencing thanks to Cribl is amazing. Although I cannot provide exact numbers, the reduction is significant.

I use Cribl Stream, Cribl Lake, and Cribl Search. My experience with Cribl Search and Cribl Lake is just initial; we are just starting to use them. Cribl Stream is the optimization we are using right now in terms of data collection and data management and is more mature.

Cribl Search has changed my approach to long-term log retention and historical investigation.

I would rate this review an eight overall.

My current use cases mostly involve using Cribl before Splunk to reduce the license by normalizing the logs, by reducing the raw data and dropping the unwanted data. Cribl can process different formats, and the team can easily adopt it, so any data will be modified. These are the use cases, as I mostly use Cribl for Splunk purposes. Additionally, if I am required to send the data to other destinations, I can use Cribl because during a migration process, I typically have two similar solutions to send the data to those two particular destinations.

For instance, if auto information is not available, Cribl will remove it from the log itself.

If the firewall logs are needed for security or IT purposes, I can easily send them to different destinations.

What I like the most about Cribl is its Web UI feature, which is totally user-friendly and has many functions that can change the data structure. That is the main thing I appreciate. I can also reduce the size of particular items, and since Splunk's license is high, this functionality is very helpful. This is the main feature, but for this purpose only, I am using it. Most of the tasks are handled in Cribl, which makes it easier for Splunk to parse the data and maintain SIM compliance.

Cribl handles high volumes of diverse data types, including logs and metrics, quite effectively. It has separate handling for metrics and can manage them easily based on size. Prior to handling data, the appropriate memory size for the CPU needs to be determined to accommodate a higher amount of logs and metrics.

Cribl acts as a super product because it enables one source to send to multiple destinations using only one copy.

To develop user skills in Cribl, it needs to improve some certifications, as the ones I have taken are not entirely helpful in the main projects for the clients. The documentation requires more improvement in the certification aspect to better develop user skills.

I have been working with Cribl for two years.

Cribl's stability is good, with no issues present. I have been working with it for two years, and it is only helpful in changing the data.

For scalability, I would mark it as nine out of ten.

I have contacted the technical support for Cribl, and I found their service to be good. I faced an issue for one of my customers who couldn't send the universal forwarder internal logs to display in the monitoring console. They quickly resolved this by enabling something in their worker, allowing the customer to receive all the information they required.

Positive

I have not used any alternatives to Cribl; there is no similar product I have utilized.

The initial deployment of Cribl is easy, with a few steps similar to Splunk. The installation process is straightforward, and ample information is available in the documents. All the documentation can be found in Cribl university.

I remember that it takes approximately two hours to fully deploy Cribl for the first time, especially for clustering. For the deployment of the leader and the workers, if all the requirements are met, including network requirements with no port issues, I can deploy Cribl base within that timeframe.

One person is enough to deploy Cribl; a team is not necessary.

I have seen a decrease in firewall logs with Cribl; I have almost a thirty percent decrease when estimating usage. Cribl effectively reduces unwanted logs, eliminating what is not required or what is unavailable.

Regarding pricing, I find it okay because Cribl is used to reduce the costs associated with Splunk. Comparatively, the Splunk license pricing is acceptable, so I have no issues with the pricing. Customers prefer to use Cribl instead of the Splunk license due to these benefits.

I have not used any alternatives to Cribl; there is no similar product I have utilized.

I have no dislikes about Cribl, but I notice that there is only an extra product in between when using Splunk. However, if I have different destinations, Cribl acts as a super product because it enables one source to send to multiple destinations using only one copy.

Their ongoing improvisation means they are consistently getting new features, and they are continuously improving.

I would give Cribl a score of nine out of ten.

For Cribl, we use only Stream, which we are using as a data pipeline in between our environment and the SIEM console. We have two SIEMs: one is a cloud SIEM and one is an on-prem SIEM. On-prem, we are using another user and entity behavior analysis tool, so we have a redirection or a copy of a log for user login and logout information. Then we have a SIEM console, and we have redirections to the SIEM through Cribl. From the environment, we have a load balancer, and from the load balancer, we have this data pipeline configured to different SIEMs, and then we have that data transferred to two different SIEMs.

Cribl's ability to handle high volumes of diverse data types is exactly the purpose that we took it for, and as far as I have seen for the last nine months, it is handling well without issues. Connectivity-wise, there is some problem, but I'm not sure whether it's from the Cribl end or the SIEM end; we are working on both ends right now, so I don't see any problems concerning that. Cribl has helped in reducing informational logs between the main entity of our SIEM and the external entity, so that actually helped.

Regarding Cribl's solution, we have limited access to Stream. I'm not sure about the other three products. We only use the Stream of Cribl. If I suggest something, it may be available on the other products. I haven't worked on those. The suggestion would be more into log information, as I'm not able to view more logs because this is a limitation that we are only using for data pipelining. If we have more visibility or if the storage structure is already there, I'm not sure; if it is there, it would be fine.

Regarding stability, lagging only happens if I exceed my data analysis stuff, but it is a limitation with Cribl as per their design. We do not use it for that purpose, but if it is improved, it would be great. For scalability, I'm not sure in my project as we are using it only for a limited purpose. Maybe, if there was an environment that required more data transfers and logs to be filtered out, it would be good, and I would suggest it.

I have been using Cribl since we deployed it during November, which is close to nine months.

We are actually checking on a regular basis; however, the problem is with the connectivity of the data pipeline and the SIEM. It requires attention if there is an alert; for example, if the pipeline is down and we receive an alert that it's not sending information to the log collection platform for more than one or two hours, if we receive an alert, it would be great.

For scalability, I'm not sure in my project as we are using it only for a limited purpose. Maybe, if there was an environment that required more data transfers and logs to be filtered out, it would be good, and I would suggest it.

My engineering team contacts Cribl's technical support; I join the call in case any issues come up and I provide my suggestions.

Positive

Cribl is the first tool that I'm using for this particular data pipelining. We do have Dynatrace, but we use it for a different purpose, for monitoring. Cribl is for streaming purposes only, so the purpose is different. I'm not sure if there is a competitor for this particular tool or not, as I haven't worked with any competitor so far.

The initial installation was kind of easy to understand for me, while my teammates struggled a little bit, so I would say it was okay.

My engineering team contacts Cribl's technical support; I join the call in case any issues come up and I provide my suggestions.

Cribl is the first tool that I'm using for this particular data pipelining.

For everything, my suggestion and limitation as I told, if it were there, I would give Cribl 10 out of 10; since it's not, I'm giving nine out of 10. I am just a user of Cribl; my company has a license with them. I'm not sure if they have a partnership with Cribl or not. I rate Cribl nine out of 10.