We were one of the first customers when Cribl launched. Around 10% to 20% of Cribl had already been implemented when I joined. My role involved expanding it to 100% of our incoming logs being processed through Cribl. Our primary use case was to collect logs from various cloud sources. We also planned to migrate and optimize our usage, as we now handle a significant volume, about 15 TB, with enterprise licensing.

Cribl played a crucial role in reducing costs and improving efficiency, though we’re still fully realizing those benefits. We have now implemented Cribl as our primary log collection endpoint. We use it alongside Splunk, aiming to reduce licensing costs while taking advantage of Cribl's streamlined log collection features.

Once Cribl is fully integrated, we plan to segregate data—moving less critical logs, like test and non-production logs, to open-source solutions to further reduce licensing costs. In our hybrid environment, with enterprise and open-source tools, Cribl has simplified the process. We've successfully used it to migrate our enterprise logs to the cloud, and this migration is ongoing. Cribl has been instrumental in ensuring that these changes do not disrupt our production systems and has made the migration between different log management tools, including Splunk and others like Microsoft Sentinel or Datadog, much smoother.

One of the main benefits is the simplified log collection from multiple sources. Cribl offers easy plugin configurations and source collection settings, allowing us to collect logs from any source. We can test by passing sample logs without needing a separate test environment, unlike in Splunk, where onboarding data requires a non-prod environment and multiple validations before moving to production. Cribl significantly reduces the time required by allowing us to upload samples, perform parsing and field extractions, and commit directly to production.

Cribl has simplified many aspects of the onboarding process, but there's still room for improvement. Currently, no other tools in the market truly compete with Cribl in its niche. Splunk is trying to retain customers by developing ingest actions to reduce licensing costs, hoping to prevent them from switching to Cribl.

There is no alerting mechanism for the leader/worker nodes status.

Since Cribl plays a major role in the mid-layer between the source and destination, there's a slight risk of losing data at some points while receiving real time data.

It would be helpful if Cribl could temporarily store or index the data for a specific time range. This would prevent data loss during downtime. Additionally, there's room for improvement in how Cribl handles historical data. Currently, I can't view trends beyond a week, and even then, it’s often limited to just 24 hours. Since Cribl doesn’t index the data but only forwards it, extending the period for viewing statistics and monitoring trends would be a valuable enhancement.

I have been using Cribl for around two and a half years. We are using V4.1.2 of the solution.

We've encountered some minor bugs, particularly in data parsing. However, these were quickly addressed in the next version. It is a stable product with ongoing development that reflects steady improvement.

Ten members use this solution from both on-site and off-site.

The support we've received over the last two years has been good. Whenever I've raised a case, they've addressed it based on the priority level and have been consistently supportive.

Positive

Cribl can collect data from any source straightforwardly without disrupting the existing logging setup—minor changes are needed to point the logs to Cribl. One of the main reasons we adopted Cribl was to reduce our Splunk licensing costs, which has been very effective. The cost savings from using Cribl versus the reduced licensing fees for our enterprise setup are significant.

In the first implementation phase, we saw noticeable results in reduced licensing costs. As management pushed for further cost savings by incorporating open-source solutions, Cribl was crucial in ensuring a smooth transition. Whether migrating from one tool to another, splitting, or moving from enterprise to cloud, Cribl has made these transitions seamless.

The initial setup with Cribl is much easier. Upgrading versions, especially in cloud environments, is almost a single-click process. Upgrading is also straightforward for on-premises setups—updating the leader node automatically distributes the upgrade to all worker groups and nodes. This makes upgrading, maintaining, and installing Cribl relatively simple compared to other tools.

Additionally, Cribl offers free training for users and administrators. The existing learning materials are comprehensive enough to support effective use and deployment.

Compared to other enterprise solutions, Cribl tends to be more cost-effective. While other major players can be quite expensive, especially as data volumes increase over time, Cribl offers a fair pricing model. As organizations continue to generate larger amounts of data daily, it's important for large enterprise solutions to reconsider their pricing structures and potentially offer better deals for larger data needs. Cribl is not the cheapest option but provides good value, given its scalability and efficiency.

The first thing to consider is the amount of data you're dealing with. Cribl is particularly beneficial for large-scale data environments. It allows you to process and store data efficiently, similar to how Splunk uses summary indexes. For example, when pulling raw events into Splunk, we often extract relevant logs using data models to simplify the data. Cribl enables a similar approach by letting you directly parse and filter data. If you have a raw event with hundreds of fields but only need 40% of those for day-to-day operations, Cribl lets you create multiple pipelines to extract the necessary data for your enterprise and production servers.

At the same time, you can save a complete copy of the raw events in data lakes or local storage without affecting daily operations. If a security incident arises and the extracted fields don’t provide enough information, Cribl’s replay feature allows you to retrieve and analyze the raw data for a specific time range. This capability is handy when handling terabytes of data per day. When someone asks if Cribl is right for their needs, my first question is about the size of the data they're dealing with.

Overall, I rate the solution a ten out of ten.

We use Cribl Stream as a pipeline mid-tier solution. One use case involves curating logs for various reasons, such as reducing log size, redaction, and ensuring proper data ingestion across multiple end systems. 

The platform's most valuable feature is the ability to transform data in real-time within the pipeline without sending it to a destination. This flexibility allows me to make necessary changes to the data in real time. 

Additionally, it offers powerful functionalities for data reduction, masking, and adding intelligence. The inbuilt packs also ease the work by providing ready-to-use functions.

Cribl could improve by offering easier integrations with enterprise products, similar to what Splunk provides. 

I started using Cribl in 2018 for a proof of concept with one of my clients.

I haven't experienced stability issues. The solution has mechanisms to handle persistent queuing and other potential problems, which helps prevent crashes or downtime.

The product is highly scalable. Deploying a node is quick and easy, often taking just fifteen minutes. You can automate the process using a CI/CD pipeline.

I have contacted the technical support team. My experience has been mixed; sometimes, the support is excellent, quick, and knowledgeable, while other times, it has been less effective.

Neutral

The setup was straightforward, as Cribl is similar to Splunk in terms of installation and management. It takes about 30 minutes to an hour to complete, though creating routes and pipelines takes additional time.

One person can handle the installation itself. The UI is user-friendly, making it manageable for an individual. However, having a team with development knowledge could be beneficial for creating routes and pipelines.

Initially, I had Cribl professional services to guide me through the setup. However, given my experience with Splunk, I could handle the deployment after the initial guidance.

The product pricing is reasonable compared to other solutions like Splunk. It offers good value, especially considering the potential savings on other licenses, such as those for Splunk.

For new users, it is advisable to complete their certification. They have an extensive and very good set of online courses, so doing these and completing the certification will give you a good start. If you’re a new user, this would be your first place to go. It will give you a good launchpad for managing and using it.

I rate it an eight.  

My primary use case for the platform was the internal management of events, parsing, and enriching events based on lookup files. It involved creating sources and destinations, managing data processing, and serializing data.

The solution has streamlined our data management and processing, making handling event data easier and forwarding it to the required destinations. It has provided a robust framework for managing data flows and event parsing, improving our overall efficiency in handling large volumes of data.

The product's most valuable features include the internal management of events, coding perspective, data processing, and serialization.

The product could be improved in terms of its logging and debugging capabilities. The sys logging could be enhanced to make it easier to identify errors, especially when dealing with multiple functions. Additionally, the user interface could be more flexible for advanced customizations.

I have been using Cribl for over one year. In my previous position, I integrated it with Broadview and socket and SNMP for event management, forwarding events to BigPanda via webhook, and writing JavaScript code for event parsing and enrichment.

I rate the stability of this solution as six out of ten. While it is generally stable, issues have affected its reliability, especially with more advanced and customized uses.

The solution is quite scalable. It allows for performance extension by distributing workloads among multiple workers via a load balancer. This architecture supports different customer needs for small-medium companies or larger enterprises.

The support team is good and willing to resolve issues. However, they could improve their understanding of customer requirements.

The initial setup can vary in complexity depending on the integration. It is straightforward for well-defined formats like JSON or XML. However, customized integrations may require significant development effort.

The solution is well-suited for quick integrations and common data processing tasks. However, highly customized integrations might require additional development efforts.

I rate it a seven out of ten. 

We use Cribl for multiple purposes. One key use is migration to Splunk Cloud. Traditionally, we used Splunk as an intermediate forwarder but switched to Cribl for this role. Cribl collects and sends the logs directly to the cloud, forwarding all data to Splunk Cloud. 

Another advantage is the ability to extract only the necessary data visually rather than handling it in Splunk's Props. You can see the changes you're making and directly onboard specific logs, avoiding the need to onboard all data.

Additionally, Cribl offers other valuable features. For instance, you can replay data from an edge device, store your daily data in a stream, and replay specific event data into Splunk if a security incident occurs. This targeted replay allows for analysis without onboarding all data into Splunk, providing a significant cost-saving benefit.

You deploy the pops and see it effectively on the page. There are functions that you can deploy in the pipeline, and you can sample that particular function. For instance, if I'm deploying a function like an A or JSON function, I can test it live before deploying it into production. This allows us to play with the data and verify if the outcome is as expected, ensuring that the processed data matches the anticipated raw data amount. 

Additionally, if you want to push an upgrade in the recent four-star version, you can update all other worker groups directly from the master rather than updating each part separately. You can instruct the master to push the update to all other workers, eliminating the need to push the update to individual nodes.

Cribl has a good community base, but unlike some vendors like Splunk, which has many TAs, Cribl doesn't have as many packs available. They need to focus on developing more custom packs for various vendors so that their solutions can be used more effectively. This will help users identify which logs are necessary and which are not. 

I have been using Cribl for the past three years. We are using the V4.1.2 of the solution.

Cribl is a pretty stable product.

Support is quite good. If you notice an issue and report a case, they respond promptly. If there is a problem, they raise it internally, develop a fix, and push it to production immediately. Their turnaround time is also critical.

The initial setup is easy if it is planned.

It's cheaper than Splunk.

Cribl has had a positive impact on reducing the need for multiple support services. It simplifies collecting log data from various cloud vendors in a single place, which is much easier than configuring, managing, and maintaining a database for a Splunk add-on. Cribl has made it easier to handle log data.

It takes about two months to get fully up to speed. Cribl provides free training and offers sandboxes for practice, allowing you to gain the necessary knowledge. Once trained, you can start working right away.

Overall, I rate the solution a ten out of ten.

In my previous organization, I did not get a very good opportunity to explore Cribl. Right now, I am in a different company. I have started to use the tool for my client. I started using Cirbl in my company to leverage Splunk's licenses. We use Cribl to massage the data, trim it, reduce it, and drop any unwanted data. It has been really worth it to have Cribl in our environment to save on Splunk licenses. Also, it is easy to connect the different sources, and you can create the routes. So you can connect from anywhere to anywhere. It is like a connector between the clouds or any kind of source and the Splunk. There are a lot of things, so I am still learning Cribl. Cribl is giving its certifications for free and has not yet started charging people for it. I think it has been seven years since Cribl has come into the boom. I also registered for the next level of courses with Cribl since it is free and is also used widely across companies. Most of the companies are using Cribl right now. After Cisco acquired Splunk, I believe Splunk's licensing costs might increase. People who already have a Splunk environment in their companies or organizations might expect a rise in price because it is merged with Cisco. In the future, Splunk's certification costs will also go high. I think Cribl will come into the picture, and people with Cribl's experience will have good opportunities.

Currently, cyber threats, security threats, and vulnerabilities have become more common. Every day, you see more than two or three vulnerabilities coming out, and every company is thinking about its security. When every organization thinks about its security, it expands its security devices, such as firewalls, EDR devices, or whatever devices are related to security. Companies are expanding their security solutions in their data centers or cloud platforms. What is happening is that because of these security devices, people are unable to ignore any kind of log that is coming into our environment. When you talk about security devices, the amount of data they produce per hour, five minutes, or per day is huge. As the entire world is moving towards cybersecurity to protect their environment, the number of security devices in the environment is also increasing. A lot of logs and huge data are coming into the picture, and companies have to think about every log. They don't have or are not able to ignore any log, so when this is the case, companies might have 10 TB or 10 GB per day invested into Splunk. In the future, if you want to secure your environment and you are installing security devices, you will have a burst of logs. If you have to purchase 30 TB of license with Splunk, but in Cribl, everything can be managed within 15 TB of license or 20 TB of license. I can leverage all the security logs talking to the security teams that can be ignored and even the ones that cannot be ignored.

As of now, there are some environments where some organizations are still on legacy infrastructure, so they are still in virtual environments and are using old versions of devices. Some companies bought Splunk, while others bought Cribl for a very low-priced license. There are some protocols to connect from Cribl to Splunk. I understand Cribl has come into the market very recently, but the tool might have had a picture in its mind where organizations might also have some legacy infrastructure. In the future, with our protocols or our level of architecture, Cribl should not come and say that it is not compatible with them. If Cribl is the reason because I have to change my environment, then I will have to end up investing more.

There are some organizations where the end machines have forwarders that forward the data to Cribl, and from it, the data is forwarded to Splunk. This is how general architecture works. There are two methods of connection between Cribl and Splunk. One is the S2S protocol, which collects logs from Cribl or sends data between Cribl and Splunk. There is another method called HTTP Event Collector (HEC) and HTTPS protocol. With Cribl, connecting to Splunk mostly uses the S2S protocol. The tool supports all the latest devices and platform devices, like all the latest operating systems. There are some organizations where there is legacy infrastructure or if they are still on the old platforms. Companies using old platforms have to consider HTTP Event Collector (HEC), and then they have to change their infrastructure setup in order to fulfill that setup. In order to have Google and Splunk set up in my organization, if I have to change my existing infrastructure connectivity or setup, that might incur more cost or more investment for me to have Cribl and Splunk. Cribl should provide compatibility, or else the tool's developers should speak to the people of such organizations and understand the challenges. Cribl could have developed some version that can give backward compatibility.

I have been using Cribl for two years. I am a user of the tool.

I think it is a stable product. According to my observations, people who have five to six years of experience can add more value. However, you will have bugs in any product. You will never know what happens. I rate the stability an eight out of ten.

I never got the chance to contact the solution's technical support, but my counterpart, who is a direct employee in the company, had contacted Cribl's support team, and it seems we get pretty good support.

I never used anything before Cribl.

When it comes to the product's installation phase, it is not tough for people who have good knowledge. I would like to highlight a similarity between Splunk and Cribl. Their official site's documentation makes even a layman's job easy. Just following the documentation, they can install the tool, but they still have to do it under some supervision.

The solution is deployed on the cloud and on an on-premises model. When you talk to the tool's global support, you can have the cloud version provided as a SaaS solution, or you can also have an enterprise-level version where you can have it in your own environment. If you have your own data center setup, you can buy Cribl's enterprise version, and you can install it, so it all depends on the requirements.

The tool is worth the investment.

I would not say it is a cheaply priced tool as it has been doing wonders in the market. The tool has been budget-friendly for organizations. It would be good if people get into that data analytics area and understand the usage of Cribl and use it wisely. I wouldn't say it is a cheap product or it is of a higher price. I would say it is really a helpful tool for any mid-level company.

I am not really sure if there are any competitors to Cribl at the moment. I would say Cribl had used its marketing strategy in a better way to advertise its brand than its competitors, and maybe that is why every company thought about it more. I did not see that much advertisement from Datadog. Most of the people still don't know about Datadog.

Datadog is famous for application performance monitoring. I would disagree with those who use it to reduce their costs, as most people would prefer to use Cribl. Cribl's major agenda is to reduce the need for Splunk licenses.

In my company, Splunk’s team uses Cribl to reduce its current number of licenses. My client does not have a very big IT infrastructure, so they have a very small infrastructure, and that may be why more people are not using it. In my previous organization, there were a lot of people who were using Cribl, where they could log their data easily.

If your organization has a lot of security data and wants to expand cybersecurity to protect your organization, and if you are using Splunk and want to reduce Splunk licenses, as Splunk has been in the market for a longer time, I recommend using Cribl. Cribl is also expanding its technology into observability and can also show dashboards or do some data analytics like that. If you talk about expenditures or investments, like if a company has a lot of money to invest, then it is okay. If a company has a very low budget, then it is good to start off with Cribl for data analytics.

For beginners, Cribl would be a tough subject because before using the tool, they need to understand the cloud, AWS, and the different data sources. Beginners won't understand what AWS or S3 is, why they need to connect them both, why they have to reduce the logs, or what the use of logs is. Cribl can be a tough subject for a person or a fresher who just passed out of college. It also depends on the background of the person using the tool. For example, if someone has taken computer networks as a major subject or has a specialization in networks, cloud management, or cloud computing, using Cribl would be a cakewalk.

You totally need to understand why you need Cribl, and so it all depends on your requirements. If my requirement is to work on log analytics, I would rate Cribl a nine out of ten. If my company is not much worried about the data analytics concept, then I would not use Cribl. Overall, I rate the tool a nine out of ten.