Cribl Reviews

In my previous organization, I did not get a very good opportunity to explore Cribl. Right now, I am in a different company. I have started to use the tool for my client. I started using Cirbl in my company to leverage Splunk's licenses. We use Cribl to massage the data, trim it, reduce it, and drop any unwanted data. It has been really worth it to have Cribl in our environment to save on Splunk licenses. Also, it is easy to connect the different sources, and you can create the routes. So you can connect from anywhere to anywhere. It is like a connector between the clouds or any kind of source and the Splunk. There are a lot of things, so I am still learning Cribl. Cribl is giving its certifications for free and has not yet started charging people for it. I think it has been seven years since Cribl has come into the boom. I also registered for the next level of courses with Cribl since it is free and is also used widely across companies. Most of the companies are using Cribl right now. After Cisco acquired Splunk, I believe Splunk's licensing costs might increase. People who already have a Splunk environment in their companies or organizations might expect a rise in price because it is merged with Cisco. In the future, Splunk's certification costs will also go high. I think Cribl will come into the picture, and people with Cribl's experience will have good opportunities.

Currently, cyber threats, security threats, and vulnerabilities have become more common. Every day, you see more than two or three vulnerabilities coming out, and every company is thinking about its security. When every organization thinks about its security, it expands its security devices, such as firewalls, EDR devices, or whatever devices are related to security. Companies are expanding their security solutions in their data centers or cloud platforms. What is happening is that because of these security devices, people are unable to ignore any kind of log that is coming into our environment. When you talk about security devices, the amount of data they produce per hour, five minutes, or per day is huge. As the entire world is moving towards cybersecurity to protect their environment, the number of security devices in the environment is also increasing. A lot of logs and huge data are coming into the picture, and companies have to think about every log. They don't have or are not able to ignore any log, so when this is the case, companies might have 10 TB or 10 GB per day invested into Splunk. In the future, if you want to secure your environment and you are installing security devices, you will have a burst of logs. If you have to purchase 30 TB of license with Splunk, but in Cribl, everything can be managed within 15 TB of license or 20 TB of license. I can leverage all the security logs talking to the security teams that can be ignored and even the ones that cannot be ignored.

I am using Cribl to have everything centralized in one tool in terms of data collection. We were working with different Splunk customers, and Cribl helps collect data and then send it to an S3 bucket or Amazon Web Services (AWS) response plan.

Cribl allows us to enforce security for some customers. For instance, if they want to add fields, values, or need to change formats to comply with different security standards, Cribl makes it possible.

We were one of the first customers when Cribl launched. Around 10% to 20% of Cribl had already been implemented when I joined. My role involved expanding it to 100% of our incoming logs being processed through Cribl. Our primary use case was to collect logs from various cloud sources. We also planned to migrate and optimize our usage, as we now handle a significant volume, about 15 TB, with enterprise licensing.

Cribl played a crucial role in reducing costs and improving efficiency, though we’re still fully realizing those benefits. We have now implemented Cribl as our primary log collection endpoint. We use it alongside Splunk, aiming to reduce licensing costs while taking advantage of Cribl's streamlined log collection features.

Once Cribl is fully integrated, we plan to segregate data—moving less critical logs, like test and non-production logs, to open-source solutions to further reduce licensing costs. In our hybrid environment, with enterprise and open-source tools, Cribl has simplified the process. We've successfully used it to migrate our enterprise logs to the cloud, and this migration is ongoing. Cribl has been instrumental in ensuring that these changes do not disrupt our production systems and has made the migration between different log management tools, including Splunk and others like Microsoft Sentinel or Datadog, much smoother.

One of the main benefits is the simplified log collection from multiple sources. Cribl offers easy plugin configurations and source collection settings, allowing us to collect logs from any source. We can test by passing sample logs without needing a separate test environment, unlike in Splunk, where onboarding data requires a non-prod environment and multiple validations before moving to production. Cribl significantly reduces the time required by allowing us to upload samples, perform parsing and field extractions, and commit directly to production.

We use Cribl Stream as a pipeline mid-tier solution. One use case involves curating logs for various reasons, such as reducing log size, redaction, and ensuring proper data ingestion across multiple end systems. 

The platform's most valuable feature is the ability to transform data in real-time within the pipeline without sending it to a destination. This flexibility allows me to make necessary changes to the data in real time. 

Additionally, it offers powerful functionalities for data reduction, masking, and adding intelligence. The inbuilt packs also ease the work by providing ready-to-use functions.

In this particular situation, we use Cribl to deploy data to various destinations. My role is to create and analyze data and deploy it to the appropriate location required by the organization. I also monitor data to manipulate or adjust it as needed. Additionally, we use it to amend or remove some lookup in the data or to add some phrases, ensuring it meets the organization's requirements. Overall, we use it for daily data management activities.

Cribl makes the work easier by providing a straightforward way to deploy data from the source to the destination without much coding. It is valuable for resizing data, increasing process complexity, and enhancing deployment availability. It simplifies the process of sending data to various destinations while providing options to block certain destinations, which is more efficient compared to other applications that require deploying data one at a time.

We use Cribl for multiple purposes. One key use is migration to Splunk Cloud. Traditionally, we used Splunk as an intermediate forwarder but switched to Cribl for this role. Cribl collects and sends the logs directly to the cloud, forwarding all data to Splunk Cloud. 

Another advantage is the ability to extract only the necessary data visually rather than handling it in Splunk's Props. You can see the changes you're making and directly onboard specific logs, avoiding the need to onboard all data.

Additionally, Cribl offers other valuable features. For instance, you can replay data from an edge device, store your daily data in a stream, and replay specific event data into Splunk if a security incident occurs. This targeted replay allows for analysis without onboarding all data into Splunk, providing a significant cost-saving benefit.

You deploy the pops and see it effectively on the page. There are functions that you can deploy in the pipeline, and you can sample that particular function. For instance, if I'm deploying a function like an A or JSON function, I can test it live before deploying it into production. This allows us to play with the data and verify if the outcome is as expected, ensuring that the processed data matches the anticipated raw data amount. 

Additionally, if you want to push an upgrade in the recent four-star version, you can update all other worker groups directly from the master rather than updating each part separately. You can instruct the master to push the update to all other workers, eliminating the need to push the update to individual nodes.

We use Cribl for data normalization, which involves standardizing data from various sources before sending it to a SIEM. This helps reduce costs associated with SIEM ingestion. Additionally, we use Cribl to sanitize data by removing or masking sensitive information from certain fields.

Cribl filters out unnecessary events and data, and we reduced the costs associated with SIEM ingestion.

My primary use case for the platform was the internal management of events, parsing, and enriching events based on lookup files. It involved creating sources and destinations, managing data processing, and serializing data.

The solution has streamlined our data management and processing, making handling event data easier and forwarding it to the required destinations. It has provided a robust framework for managing data flows and event parsing, improving our overall efficiency in handling large volumes of data.