Cribl Reviews

The use case is for data log optimization and log rerouting. Along with log optimization and log rerouting, we have been using Cribl for data lakes.

Overall, Cribl has improved my organization. The reduction in firewall logs has influenced my data processing workflow. When we talk about data optimization, these events ingested into Cribl are basically the raw info, raw logs. Enhancing those events to optimize, to add new fields or to remove the extra fields that are of no use helps us in log reduction by dumping the raw logs and only ingesting the interested fields, which helps us in 50 to 60% volume reduction.

We can change the log format in case any data feed is ingesting logs in some different format, so we can reformat the logs and send those logs into some JSON format or any other format that is more understandable to any normal person. 

Cribl has been able to manage and take care of a high volume or any outburst of logs. We are able to manage those by creating alerts whenever resource thresholds are being breached so we can scale up the workers.

The best feature in Cribl is the UI, which is user-friendly. Apart from being user-friendly, you can have integration with Git, GitHub, and other config version controlling tools that we need. You can integrate them as well. Currently, I'm using GitHub, so it's quite easy to integrate it with GitHub and use it. We have multiple source integrations available, with multiple destinations being supported by Cribl. I'm using a cloud version which is not hosted in Cribl; it's on our own cloud that we have hosted. It's a containerized version that we are using for Cribl. It's quite easy to patch the Cribl host as well.

Given the dynamic nature, we can create workers, worker nodes on the fly. We can increase or decrease the worker nodes as per our requirements. For knowledge objects, we can have the lookups added and we can do the filtering based on lookups. We can use the custom packs as well to enhance our logs. 

Log enhancement is another feature, and when I say log optimization, this has been one of the best features for Cribl where you can reduce the log size by filtering the selective logs, enhancing the log quality by filtering the requested fields within the logs and filtering out the unnecessary garbage value within our logs.

Another interesting feature is that you can have the logs rerouted to multiple destinations, whether it be S3 bucket or any SIEM solution, any data lake, or any third-party tool. 

Over the period, we have upgraded Cribl, and earlier it did not support multiple sources. Now with the upgrades, it has integrated with multiple new sources and different integration mechanisms such as Wiz, TCP, Syslog; all those functionalities have been excellent.

In terms of areas for improvement, I would say Cribl internal logging has been one of the bottlenecks; that should be enhanced. If we can have more internal logs and more debug logs to validate the error, that would be beneficial because instead of reaching out to Cribl support, we can troubleshoot and find the root cause ourselves.

Currently, Cribl only provides monitoring for the data that is being ingested. If Cribl could store metrics for the data that has been ingested in the past, that would be valuable because there have been certain scenarios where tenants mentioned they are not receiving the logs from the past. There's no way to go back and check whether Cribl received those logs or not. If there could be metrics that could help us provide how much data for a particular week we received, it would be very beneficial.

Another enhancement I would expect is if Cribl could have more dashboards for troubleshooting, which would be very beneficial. I would expect Cribl to provide those troubleshooting dashboards to troubleshoot and try the errors, as it becomes tough to understand where the root cause is when an issue occurs. If Cribl can have more alerts defined in itself, rather than relying on any SIEM solution to forward the logs and configure the alerts over there, having Cribl itself with alerting mail notifications or SNS would be very beneficial.

I have been using this solution for almost one and a half or two years.

I would rate the stability as ten out of ten. The platform has been stable unless there have been unforeseen circumstances such as an outburst of logs that the team has not been informed of. In such cases, I've seen some outages, but this is not caused by Cribl. This has been caused by the source team or the ops team.

Regarding scalability, the current Cribl certifications available on Cribl support are good. User, admin, and edge certifications are very good. I enrolled for one of the certifications that required instructor-led training, but I couldn't find the slots for that.

It's an enterprise version, and we have a good amount of users using this solution.

I would rate the technical support an eight out of ten. I've kept two points for improvisation in terms of internal logging. Given the scenario that whenever there is an issue, we may have to engage support, if they could enhance their internal logging, we won't require Cribl support to engage.

Positive

Deployment is somewhat easy, but I would appreciate it if Cribl can provide more documentation on Cribl deployments. They need to upscale their knowledge base. 

The time it takes to deploy depends on the environment; if the initial requirement is just to have a few workers and the leader spin up, it should not take much time. If the initial setup is huge, then it depends on how many sources need to be integrated and where we are hosting it. If it is Cribl Cloud, it would be easier, but if it's a hybrid one, some complexity depends on the sort of environment you have.

I have not conducted much analysis on the return on investment part, but in the POCs that I have done in different projects and in the current one, there has been almost 30% return over investment available. However, it varies from project to project and requirements as well. If there's a requirement only to do the filtering and enhance the log and optimize them, it has helped, but in those cases where log optimization is not required, only enhancement is required, it has somewhat varied. In the case of optimization, it has helped return on investment to somewhere close to 50%.

Regarding pricing, nothing comes free. Obviously, when we are using Cribl, it has a cost associated, but over time, the licensing cost has increased, given the scenario that Cribl is gaining popularity.

Given the scenario that it's a new tool in the market, it has been promising enough. With the features and functionalities that it offers, it's been very good.

I would recommend Cribl to other users, especially if someone is looking to optimize their logs and do volume reduction. But everything comes at a price. If you are not utilizing it to the max, you won't be able to get a good return on investment. Always ensure that whenever you have such things in place, you have the complete benefits of that particular functionality being used.

I would rate Cribl an eight out of ten.

We use Cribl for data normalization, which involves standardizing data from various sources before sending it to a SIEM. This helps reduce costs associated with SIEM ingestion. Additionally, we use Cribl to sanitize data by removing or masking sensitive information from certain fields.

Cribl filters out unnecessary events and data, and we reduced the costs associated with SIEM ingestion.

You can use Cribl to route the same data to different destinations. For instance, if a company uses multiple SIEMs and needs data in each, Cribl makes it easy to direct that data to various destinations. Setting up API connections to get data into the platform is easy. Cribl offers a cloud version, allowing different workspaces to segregate various functions within a company or organization.

The documentation part could be better. Their documentation could be updated, as new features often outdated existing information. Additionally, there are inconsistencies between the documentation for Cribl Cloud and Cribl on-premises. This can be confusing, as features may differ, leading to potential misunderstandings if you use documentation intended for one version while working with another. Consolidating and improving the clarity of the Cribl Cloud documentation would be very helpful.

I have been using Cribl for a year and a half.

It is highly scalable. If you need more cloud worker groups, you're just a click or two away from doing that at extra cost.

Depending on the license, we usually provide a Customer Success Manager to assist with any questions or issues when onboarding Cribl. They are very responsive, and their support is quite helpful.

Neutral

We employed a hybrid strategy, setting up Cribl Cloud as the head node in their environment. For data processing, we used worker nodes within the client’s environment, which are closer to the data sources. This setup allowed us to process data locally before sending it to our destination. For cloud assets, such as SaaS applications like Salesforce, we used the cloud-hosted Cribl instance to handle that information. Meanwhile, the on-premises data was processed by the hybrid worker nodes.

We encountered delays due to third-party issues, extending the timeline to six to seven months. Without these issues, it likely would have taken around three months, depending on the speed of obtaining API keys, authorizations from networking teams, and other factors. Under ideal circumstances, a three-month timeframe would be more accurate.

You need to maintain the pipeline, which includes data processing, before it reaches its destination. When onboarding new data, managing and rotating API keys as needed is important. Maintaining these aspects ensures faster and more efficient deployments.

If you want to reduce log ingestion or route data to multiple destinations, consider using an on-premises or cloud solution. Your choice will depend on your organization’s network constraints. For example, if critical assets on your network need to connect to the internet, your network team might have restrictions. Weigh the benefits of cloud versus on-premises options to determine what best fits your needs.

With less data coming into our system, we can now run queries faster since we're not processing as much data as before. The reduction has made our queries more efficient because we're working with more streamlined data.

The quick connects are great for testing and allow you to rapidly set up a proof of concept, which is very beneficial. They can also be useful in production environments. Another significant feature is the recent Sentinel integration. The provided pack simplifies the setup process, making it much easier than the previous method, where you had to manually handle tasks like finding API keys. This integration makes the setup much more efficient.

Overall, I rate the solution a seven out of ten.

We were one of the first customers when Cribl launched. Around 10% to 20% of Cribl had already been implemented when I joined. My role involved expanding it to 100% of our incoming logs being processed through Cribl. Our primary use case was to collect logs from various cloud sources. We also planned to migrate and optimize our usage, as we now handle a significant volume, about 15 TB, with enterprise licensing.

Cribl played a crucial role in reducing costs and improving efficiency, though we’re still fully realizing those benefits. We have now implemented Cribl as our primary log collection endpoint. We use it alongside Splunk, aiming to reduce licensing costs while taking advantage of Cribl's streamlined log collection features.

Once Cribl is fully integrated, we plan to segregate data—moving less critical logs, like test and non-production logs, to open-source solutions to further reduce licensing costs. In our hybrid environment, with enterprise and open-source tools, Cribl has simplified the process. We've successfully used it to migrate our enterprise logs to the cloud, and this migration is ongoing. Cribl has been instrumental in ensuring that these changes do not disrupt our production systems and has made the migration between different log management tools, including Splunk and others like Microsoft Sentinel or Datadog, much smoother.

One of the main benefits is the simplified log collection from multiple sources. Cribl offers easy plugin configurations and source collection settings, allowing us to collect logs from any source. We can test by passing sample logs without needing a separate test environment, unlike in Splunk, where onboarding data requires a non-prod environment and multiple validations before moving to production. Cribl significantly reduces the time required by allowing us to upload samples, perform parsing and field extractions, and commit directly to production.

Cribl has simplified many aspects of the onboarding process, but there's still room for improvement. Currently, no other tools in the market truly compete with Cribl in its niche. Splunk is trying to retain customers by developing ingest actions to reduce licensing costs, hoping to prevent them from switching to Cribl.

There is no alerting mechanism for the leader/worker nodes status.

Since Cribl plays a major role in the mid-layer between the source and destination, there's a slight risk of losing data at some points while receiving real time data.

It would be helpful if Cribl could temporarily store or index the data for a specific time range. This would prevent data loss during downtime. Additionally, there's room for improvement in how Cribl handles historical data. Currently, I can't view trends beyond a week, and even then, it’s often limited to just 24 hours. Since Cribl doesn’t index the data but only forwards it, extending the period for viewing statistics and monitoring trends would be a valuable enhancement.

I have been using Cribl for around two and a half years. We are using V4.1.2 of the solution.

We've encountered some minor bugs, particularly in data parsing. However, these were quickly addressed in the next version. It is a stable product with ongoing development that reflects steady improvement.

Ten members use this solution from both on-site and off-site.

The support we've received over the last two years has been good. Whenever I've raised a case, they've addressed it based on the priority level and have been consistently supportive.

Positive

Cribl can collect data from any source straightforwardly without disrupting the existing logging setup—minor changes are needed to point the logs to Cribl. One of the main reasons we adopted Cribl was to reduce our Splunk licensing costs, which has been very effective. The cost savings from using Cribl versus the reduced licensing fees for our enterprise setup are significant.

In the first implementation phase, we saw noticeable results in reduced licensing costs. As management pushed for further cost savings by incorporating open-source solutions, Cribl was crucial in ensuring a smooth transition. Whether migrating from one tool to another, splitting, or moving from enterprise to cloud, Cribl has made these transitions seamless.

The initial setup with Cribl is much easier. Upgrading versions, especially in cloud environments, is almost a single-click process. Upgrading is also straightforward for on-premises setups—updating the leader node automatically distributes the upgrade to all worker groups and nodes. This makes upgrading, maintaining, and installing Cribl relatively simple compared to other tools.

Additionally, Cribl offers free training for users and administrators. The existing learning materials are comprehensive enough to support effective use and deployment.

Compared to other enterprise solutions, Cribl tends to be more cost-effective. While other major players can be quite expensive, especially as data volumes increase over time, Cribl offers a fair pricing model. As organizations continue to generate larger amounts of data daily, it's important for large enterprise solutions to reconsider their pricing structures and potentially offer better deals for larger data needs. Cribl is not the cheapest option but provides good value, given its scalability and efficiency.

The first thing to consider is the amount of data you're dealing with. Cribl is particularly beneficial for large-scale data environments. It allows you to process and store data efficiently, similar to how Splunk uses summary indexes. For example, when pulling raw events into Splunk, we often extract relevant logs using data models to simplify the data. Cribl enables a similar approach by letting you directly parse and filter data. If you have a raw event with hundreds of fields but only need 40% of those for day-to-day operations, Cribl lets you create multiple pipelines to extract the necessary data for your enterprise and production servers.

At the same time, you can save a complete copy of the raw events in data lakes or local storage without affecting daily operations. If a security incident arises and the extracted fields don’t provide enough information, Cribl’s replay feature allows you to retrieve and analyze the raw data for a specific time range. This capability is handy when handling terabytes of data per day. When someone asks if Cribl is right for their needs, my first question is about the size of the data they're dealing with.

Overall, I rate the solution a ten out of ten.

We use Cribl Stream as a pipeline mid-tier solution. One use case involves curating logs for various reasons, such as reducing log size, redaction, and ensuring proper data ingestion across multiple end systems. 

The platform's most valuable feature is the ability to transform data in real-time within the pipeline without sending it to a destination. This flexibility allows me to make necessary changes to the data in real time. 

Additionally, it offers powerful functionalities for data reduction, masking, and adding intelligence. The inbuilt packs also ease the work by providing ready-to-use functions.

Cribl could improve by offering easier integrations with enterprise products, similar to what Splunk provides. 

I started using Cribl in 2018 for a proof of concept with one of my clients.

I haven't experienced stability issues. The solution has mechanisms to handle persistent queuing and other potential problems, which helps prevent crashes or downtime.

The product is highly scalable. Deploying a node is quick and easy, often taking just fifteen minutes. You can automate the process using a CI/CD pipeline.

I have contacted the technical support team. My experience has been mixed; sometimes, the support is excellent, quick, and knowledgeable, while other times, it has been less effective.

Neutral

The setup was straightforward, as Cribl is similar to Splunk in terms of installation and management. It takes about 30 minutes to an hour to complete, though creating routes and pipelines takes additional time.

One person can handle the installation itself. The UI is user-friendly, making it manageable for an individual. However, having a team with development knowledge could be beneficial for creating routes and pipelines.

Initially, I had Cribl professional services to guide me through the setup. However, given my experience with Splunk, I could handle the deployment after the initial guidance.

The product pricing is reasonable compared to other solutions like Splunk. It offers good value, especially considering the potential savings on other licenses, such as those for Splunk.

For new users, it is advisable to complete their certification. They have an extensive and very good set of online courses, so doing these and completing the certification will give you a good start. If you’re a new user, this would be your first place to go. It will give you a good launchpad for managing and using it.

I rate it an eight.  

In this particular situation, we use Cribl to deploy data to various destinations. My role is to create and analyze data and deploy it to the appropriate location required by the organization. I also monitor data to manipulate or adjust it as needed. Additionally, we use it to amend or remove some lookup in the data or to add some phrases, ensuring it meets the organization's requirements. Overall, we use it for daily data management activities.

Cribl makes the work easier by providing a straightforward way to deploy data from the source to the destination without much coding. It is valuable for resizing data, increasing process complexity, and enhancing deployment availability. It simplifies the process of sending data to various destinations while providing options to block certain destinations, which is more efficient compared to other applications that require deploying data one at a time.

Features such as Cribl Stream, Cribl LogStream, and Cribl Edge have been the most beneficial. The Cribl LogStream, in particular, is valuable for routing data, creating firewalls on pipelines, and putting security measures in place to ensure data reaches its destination without issues.

Cribl should consider adding more features that are applicable to smaller firms, allowing broader access to their data migration through Cribl. Additionally, there's room for more enhancement concerning the desktop server so tasks can be processed more directly.

I worked with Cribl for about eight months, and I stopped working on a specific project with it five months ago.

Cribl has been stable. Even when issues arise, having a KPI knowledge allows us to address challenges without significant difficulties.

Cribl is very scalable, and I'm looking forward to continuing to work with it for a long time due to its ability to upgrade and improve continuously.

I would rate Cribl's customer service and technical support as nine and a half out of ten. We have worked with various teams to address some issues, and the support has been exceptional.

Positive

Previously, I worked with Azure Active Directory and other applications to handle tasks such as Azure DBN, data deployment, and subscription management

The initial setup of Cribl was straightforward, often taking as little as thirty minutes for deployment. Cribl has QuickConnect features that simplify the process significantly. However, we preferred using routing and pipelines for more control and security measures.

Working with the relevant implementation teams, including the network and SOC teams, ensured that deployment and maintenance processes were completed smoothly.

For now, I haven't seen a return on investment with Cribl, particularly in terms of processing time and cost-saving.

Cribl offers a reduction in pricing, up to thirty percent, which is beneficial. Although I'm not involved in licensing, I know that the price reduction is accurate and well-received.

There are other solutions like Azure and Splunk, and each has its strengths. Cribl stands out due to its streaming data model and integration for security use.

I would recommend Cribl to organizations facing data challenges due to its perfect security measures and ease of use. It offers a simple, fast, and efficient solution.

Entire logs from my organization go through Cribl and get routed to Splunk and various other destinations. I use it on a large scale in my organization. Cribl Stream is one of my favorite parts. I use Cribl to route the logs to various destinations. It helped us to completely remove the monopoly on Splunk. Not only firewall logs, but also cloud trail logs and many other logs were processed through Cribl.

It helped us to completely remove the monopoly on Splunk, as we previously couldn't have any control over logs and how to optimize them. When we had Cribl in place, it provided a vision and a platform for us to control what we send and how we send it in terms of data passing, data enrichment, and many more things, with massaging the data. It also helped us to open up to many tools where we could send the data to various destinations, as it is vendor-agnostic.

Cribl Stream is good, but I feel they could develop more products apart from Cribl Stream for my use case. I know Search is coming and Data Lake is there, but there can be more innovations in Cribl. They had one good product, which is Cribl Stream, which appears to be the primary revenue source for the company, but there may be many other use cases. They could explore OTel and how to connect with DynaTrace. They are looking specifically for logging, but expanding into metrics and APM would also help.

I have been using Cribl for the past three to four years.

On-premises deployment is something which customers take care of themselves. Earlier versions had quite a few issues, but there are more stable versions now, so it is a good time to start using Cribl.

They are very scalable and good.

They are very good in terms of solving issues. Regarding availability over other time zones, since it is mostly focused on Europe and US, they are starting to build up in New Zealand and other places.

I tried a few other alternatives as POCs, but none of them worked out as effectively as Cribl.

We worked on it for six months. Our infrastructure is complex, so it took almost six months, a couple of quarters.

If you have a good architect and a couple of Cribl staff members to assist, three persons can handle the implementation.

It is feasible and doable. Compared to Splunk, Cribl is cheaper.

Pricing is feasible and doable. Compared to Splunk, Cribl is cheaper.

I tried a few other alternatives as POCs, but none of them worked out as effectively as Cribl.

It has been able to perform to the best of its capabilities. They are able to handle everything with their non-shared architecture. On a scale of 1-10, I would rate Cribl a solid nine.

We've encountered several challenges, but what's most promising and encouraging is Cribl's scalability. The architecture is impressive, and it distributes work across all worker nodes and communicates with the leader.

There have been several administrative issues. Another point is that the browsing functions aren't very intuitive.

The most challenging aspect is the versioning system. Everyone can see and potentially deploy each other's changes in a team of developers. Unlike traditional versioning systems, where you work in isolated feature branches and only merge changes after reviewing conflicts, Cribl's versioning system requires careful management because everyone works on the same repository. 

I work with a team that includes both experienced and less experienced developers. Though new to this technology, the two senior developers have extensive experience with various other technologies and can get up to speed relatively quickly with the available training. The less experienced developers face significant challenges. They struggle to understand the system, suggesting it may not be intuitive.

I have been using Cribl for two years.

I rate the solution’s stability a seven out of ten.

10-15 people are using this solution.

Everything works, but it required a lot of support. The setup wasn't easy, but the support team was very helpful and managed to get everything production-ready. 

Setting up Cribl for basic training is straightforward and effective. You can easily configure it on your laptop by downloading the binaries and using simple command-line instructions to set it up in different modes, like leader, edge node, or single deployment. Adding a worker node is also simple; just run a script generated in the UI, and it's up and running.

The enterprise setup process is more complex, and there are significant documentation challenges. Despite the system eventually being available, the process involved many support calls and workarounds. Getting everything set up for a production-ready enterprise deployment was long and challenging.

In some of the projects I've been working on, we're still testing and exploring Cribl's capabilities. We haven't established specific business goals or fixed objectives yet. Currently, we're focused on ingesting data from various sources with minimal transformation to understand how Cribl handles different types of logs and data.

I encounter issues with the UI not accurately reflecting the current status. For example, the UI might show that a worker is still fetching the latest version of the code, but after refreshing the page, it usually updates to show that everything is up and running. Over time, I've learned to recognize when the UI is not displaying the correct information and use the refresh button to get the accurate status.

Overall, I rate the solution a six out of ten.

My primary use case for the platform was the internal management of events, parsing, and enriching events based on lookup files. It involved creating sources and destinations, managing data processing, and serializing data.

The solution has streamlined our data management and processing, making handling event data easier and forwarding it to the required destinations. It has provided a robust framework for managing data flows and event parsing, improving our overall efficiency in handling large volumes of data.

The product's most valuable features include the internal management of events, coding perspective, data processing, and serialization.

The product could be improved in terms of its logging and debugging capabilities. The sys logging could be enhanced to make it easier to identify errors, especially when dealing with multiple functions. Additionally, the user interface could be more flexible for advanced customizations.

I have been using Cribl for over one year. In my previous position, I integrated it with Broadview and socket and SNMP for event management, forwarding events to BigPanda via webhook, and writing JavaScript code for event parsing and enrichment.

I rate the stability of this solution as six out of ten. While it is generally stable, issues have affected its reliability, especially with more advanced and customized uses.

The solution is quite scalable. It allows for performance extension by distributing workloads among multiple workers via a load balancer. This architecture supports different customer needs for small-medium companies or larger enterprises.

The support team is good and willing to resolve issues. However, they could improve their understanding of customer requirements.

The initial setup can vary in complexity depending on the integration. It is straightforward for well-defined formats like JSON or XML. However, customized integrations may require significant development effort.

The solution is well-suited for quick integrations and common data processing tasks. However, highly customized integrations might require additional development efforts.

I rate it a seven out of ten.