My usual use cases for Cribl involve collecting logs from many endpoints, including user activities. We collect logs into either Log Analytical Workspace or Event Hub and redirect to Cribl so that Cribl filters the required logs and redirects them to the SIEM tool. We do not get a chance to use the user interface of Cribl because our client has access to that; we only implement and do that. They will check whether it is there, but based on my experience, it will be pretty easy to see what is in the user interface, and it will be easy to manage as well. We have not used Cribl Search to a large extent because the client requirement was to only implement Cribl and integrate it with the SIEM. We have not used Cribl Search extensively, and I do not have any information about it.
InfraOps Team Lead at a tech vendor with 10,001+ employees
Real User
Top 20
Nov 26, 2025
Cribl is used to manage routing of different log systems and vulnerability type log scanning and retention, which is then re-routed to log retention servers. Firewall logs are sent directly from firewalls into Splunk, which is where Cribl also sends data, so Cribl is bypassed for firewalls. Cribl is primarily utilized for internal servers, systems, and endpoints.
We started our Cribl journey at the end of 2022, but we have been evaluating Cribl since 2020. We have been using Cribl from the end of 2022 till now, and the use case that brought Cribl into the picture is a critical business application sending its transactional logs into a database which got overwhelmed due to the sheer volume of logs. We evaluated Cribl for that use case, and now it has evolved into much more than just servicing that use case in our organization, making it a three-plus-year journey into Cribl.
Sr. Lead Security Engineer at a tech vendor with 10,001+ employees
Real User
Top 10
Oct 14, 2025
Our main use case for Cribl is to help us reduce cost. Currently, we use the Stream and Edge products of Cribl, and it's on-premise for us. The Stream helps us with any optimization work that we have to do in terms of reduction of the data itself.
Senior Security Engineer at a university with 10,001+ employees
Real User
Top 10
Oct 14, 2025
Our main use case for Cribl is primarily taking data from all of our different data sources, doing some processing, field extractions, normalizing the data, and then sending it along to our SIM for security incident response and investigation.
Cyber Security Engineer at a financial services firm with 10,001+ employees
Real User
Top 20
Sep 22, 2025
My current use cases involve using it as a pipeline to process data, to route data from cloud logs to different repositories. Some data goes to Splunk and others go to different data lakes. I didn't work with the firewall logs directly. We use Cribl to process web activity and route data that we wanted to into Splunk ES to create detections.
Our main use case for Cribl was SIEM migration, where we merged multiple SIEM solutions to a single SIEM solution. SIEM migration was the most major use case we were looking for. The second use case was a manageable logging solution which could have a nice interface and would be easy to manage. Data cutoff or Log Filtering was the third biggest use case we were looking for, where we were seeking data reduction to define what we need and don't need. Additionally, we performed data masking for PII i.e. payments and medical data. These were the main use cases that were all provided by Cribl.
Lead Engineer at a manufacturing company with 10,001+ employees
Real User
Top 10
Aug 8, 2025
We use Cribl Stream to collect logs from multiple sources, transform and enrich them, filter out unnecessary data before sending them to SIEM. We also use Cribl to route logging to data lake.
Entire logs from my organization go through Cribl and get routed to Splunk and various other destinations. I use it on a large scale in my organization. Cribl Stream is one of my favorite parts. I use Cribl to route the logs to various destinations. It helped us to completely remove the monopoly on Splunk. Not only firewall logs, but also cloud trail logs and many other logs were processed through Cribl.
I am using Cribl to have everything centralized in one tool in terms of data collection. We were working with different Splunk customers, and Cribl helps collect data and then send it to an S3 bucket or Amazon Web Services (AWS) response plan.
Security Engineer at a tech services company with 201-500 employees
Real User
Top 10
Sep 6, 2024
We use Cribl for data normalization, which involves standardizing data from various sources before sending it to a SIEM. This helps reduce costs associated with SIEM ingestion. Additionally, we use Cribl to sanitize data by removing or masking sensitive information from certain fields.
In this particular situation, we use Cribl to deploy data to various destinations. My role is to create and analyze data and deploy it to the appropriate location required by the organization. I also monitor data to manipulate or adjust it as needed. Additionally, we use it to amend or remove some lookup in the data or to add some phrases, ensuring it meets the organization's requirements. Overall, we use it for daily data management activities.
Security Engineer at a tech services company with 51-200 employees
Real User
Top 20
Sep 4, 2024
I use Cribl to ingest logs from different platforms. These logs could come from sources like Mimecast, Windows, or CrowdStrike logs. It acts as a pipeline to send data to our destinations and also helps in reducing the amount of logs sent by applying different functions on them.
Lead Engineer at a tech vendor with 1-10 employees
Real User
Top 10
Aug 23, 2024
We were one of the first customers when Cribl launched. Around 10% to 20% of Cribl had already been implemented when I joined. My role involved expanding it to 100% of our incoming logs being processed through Cribl. Our primary use case was to collect logs from various cloud sources. We also planned to migrate and optimize our usage, as we now handle a significant volume, about 15 TB, with enterprise licensing. Cribl played a crucial role in reducing costs and improving efficiency, though we’re still fully realizing those benefits. We have now implemented Cribl as our primary log collection endpoint. We use it alongside Splunk, aiming to reduce licensing costs while taking advantage of Cribl's streamlined log collection features. Once Cribl is fully integrated, we plan to segregate data—moving less critical logs, like test and non-production logs, to open-source solutions to further reduce licensing costs. In our hybrid environment, with enterprise and open-source tools, Cribl has simplified the process. We've successfully used it to migrate our enterprise logs to the cloud, and this migration is ongoing. Cribl has been instrumental in ensuring that these changes do not disrupt our production systems and has made the migration between different log management tools, including Splunk and others like Microsoft Sentinel or Datadog, much smoother.
Senior Splunk Admin at a consultancy with self employed
Real User
Top 10
Jul 26, 2024
We use Cribl for multiple purposes. One key use is migration to Splunk Cloud. Traditionally, we used Splunk as an intermediate forwarder but switched to Cribl for this role. Cribl collects and sends the logs directly to the cloud, forwarding all data to Splunk Cloud. Another advantage is the ability to extract only the necessary data visually rather than handling it in Splunk's Props. You can see the changes you're making and directly onboard specific logs, avoiding the need to onboard all data. Additionally, Cribl offers other valuable features. For instance, you can replay data from an edge device, store your daily data in a stream, and replay specific event data into Splunk if a security incident occurs. This targeted replay allows for analysis without onboarding all data into Splunk, providing a significant cost-saving benefit.
Cribl offers advanced data transformation and routing with features such as data reduction, plugin configurations, and log collection within a user-friendly framework supporting various deployments, significantly reducing data volumes and costs.Cribl is designed to streamline data management, offering real-time data transformation and efficient log management. It supports seamless SIEM migration, enabling organizations to optimize costs associated with platforms like Splunk through data...
My usual use cases for Cribl involve collecting logs from many endpoints, including user activities. We collect logs into either Log Analytical Workspace or Event Hub and redirect to Cribl so that Cribl filters the required logs and redirects them to the SIEM tool. We do not get a chance to use the user interface of Cribl because our client has access to that; we only implement and do that. They will check whether it is there, but based on my experience, it will be pretty easy to see what is in the user interface, and it will be easy to manage as well. We have not used Cribl Search to a large extent because the client requirement was to only implement Cribl and integrate it with the SIEM. We have not used Cribl Search extensively, and I do not have any information about it.
Cribl is used to manage routing of different log systems and vulnerability type log scanning and retention, which is then re-routed to log retention servers. Firewall logs are sent directly from firewalls into Splunk, which is where Cribl also sends data, so Cribl is bypassed for firewalls. Cribl is primarily utilized for internal servers, systems, and endpoints.
We started our Cribl journey at the end of 2022, but we have been evaluating Cribl since 2020. We have been using Cribl from the end of 2022 till now, and the use case that brought Cribl into the picture is a critical business application sending its transactional logs into a database which got overwhelmed due to the sheer volume of logs. We evaluated Cribl for that use case, and now it has evolved into much more than just servicing that use case in our organization, making it a three-plus-year journey into Cribl.
Our main use case for Cribl is to help us reduce cost. Currently, we use the Stream and Edge products of Cribl, and it's on-premise for us. The Stream helps us with any optimization work that we have to do in terms of reduction of the data itself.
My main use cases for Cribl include data reduction, sampling, aggregation, and advanced routing of data to get them to the right place with speed.
Our main use case for Cribl is primarily taking data from all of our different data sources, doing some processing, field extractions, normalizing the data, and then sending it along to our SIM for security incident response and investigation.
My current use cases involve using it as a pipeline to process data, to route data from cloud logs to different repositories. Some data goes to Splunk and others go to different data lakes. I didn't work with the firewall logs directly. We use Cribl to process web activity and route data that we wanted to into Splunk ES to create detections.
Our main use case for Cribl was SIEM migration, where we merged multiple SIEM solutions to a single SIEM solution. SIEM migration was the most major use case we were looking for. The second use case was a manageable logging solution which could have a nice interface and would be easy to manage. Data cutoff or Log Filtering was the third biggest use case we were looking for, where we were seeking data reduction to define what we need and don't need. Additionally, we performed data masking for PII i.e. payments and medical data. These were the main use cases that were all provided by Cribl.
We use Cribl Stream to collect logs from multiple sources, transform and enrich them, filter out unnecessary data before sending them to SIEM. We also use Cribl to route logging to data lake.
Our use cases that we are exploring Cribl for right now are for data parsing and data manipulation.
Entire logs from my organization go through Cribl and get routed to Splunk and various other destinations. I use it on a large scale in my organization. Cribl Stream is one of my favorite parts. I use Cribl to route the logs to various destinations. It helped us to completely remove the monopoly on Splunk. Not only firewall logs, but also cloud trail logs and many other logs were processed through Cribl.
I am using Cribl to have everything centralized in one tool in terms of data collection. We were working with different Splunk customers, and Cribl helps collect data and then send it to an S3 bucket or Amazon Web Services (AWS) response plan.
We use Cribl for data normalization, which involves standardizing data from various sources before sending it to a SIEM. This helps reduce costs associated with SIEM ingestion. Additionally, we use Cribl to sanitize data by removing or masking sensitive information from certain fields.
In this particular situation, we use Cribl to deploy data to various destinations. My role is to create and analyze data and deploy it to the appropriate location required by the organization. I also monitor data to manipulate or adjust it as needed. Additionally, we use it to amend or remove some lookup in the data or to add some phrases, ensuring it meets the organization's requirements. Overall, we use it for daily data management activities.
I use Cribl to ingest logs from different platforms. These logs could come from sources like Mimecast, Windows, or CrowdStrike logs. It acts as a pipeline to send data to our destinations and also helps in reducing the amount of logs sent by applying different functions on them.
We were one of the first customers when Cribl launched. Around 10% to 20% of Cribl had already been implemented when I joined. My role involved expanding it to 100% of our incoming logs being processed through Cribl. Our primary use case was to collect logs from various cloud sources. We also planned to migrate and optimize our usage, as we now handle a significant volume, about 15 TB, with enterprise licensing. Cribl played a crucial role in reducing costs and improving efficiency, though we’re still fully realizing those benefits. We have now implemented Cribl as our primary log collection endpoint. We use it alongside Splunk, aiming to reduce licensing costs while taking advantage of Cribl's streamlined log collection features. Once Cribl is fully integrated, we plan to segregate data—moving less critical logs, like test and non-production logs, to open-source solutions to further reduce licensing costs. In our hybrid environment, with enterprise and open-source tools, Cribl has simplified the process. We've successfully used it to migrate our enterprise logs to the cloud, and this migration is ongoing. Cribl has been instrumental in ensuring that these changes do not disrupt our production systems and has made the migration between different log management tools, including Splunk and others like Microsoft Sentinel or Datadog, much smoother.
We use Cribl for multiple purposes. One key use is migration to Splunk Cloud. Traditionally, we used Splunk as an intermediate forwarder but switched to Cribl for this role. Cribl collects and sends the logs directly to the cloud, forwarding all data to Splunk Cloud. Another advantage is the ability to extract only the necessary data visually rather than handling it in Splunk's Props. You can see the changes you're making and directly onboard specific logs, avoiding the need to onboard all data. Additionally, Cribl offers other valuable features. For instance, you can replay data from an edge device, store your daily data in a stream, and replay specific event data into Splunk if a security incident occurs. This targeted replay allows for analysis without onboarding all data into Splunk, providing a significant cost-saving benefit.