I use Cribl to move data and help with moving data, connecting different data sources to different destinations, which is what I mainly use it for.

I also use it to help parse the data as well.

Something that I really appreciate about Cribl is the preview feature. Whether it would be on the JavaScript I'm working on, it shows me the output in real time, which really helps with development.

I also appreciate the preview feature when it comes to data pipelines, as it shows me in real time how my pipeline would be working with the data. Additionally, I really appreciate the live capture feature as well to get an idea of how the data looks at different stages in Cribl environment.

I think Cribl is an excellent tool for helping to manage data cost and keep it down as well as manage complexity.

Cribl has come a long way. I've been using it for three years, but there are still a lot of other features that I would appreciate regarding new data sources. One example would be open WebSockets.

There's currently not a native feature for that, so that requires a lot of time in development. I would also appreciate better support for JWT tokens for a REST API collection. While sometimes it does work, it seems very janky and seems like a stitched-together solution. It would be nice if there was a more supported version to help with JWT.

I've been working with Cribl for a long time, at least three years, maybe more.

Cribl is very robust. It's not perfect, but very good stability.

Cribl is very scalable. The product itself lends itself well to being scaled. Any issues I've had with scaling have mainly just been human issues of people not wanting to scale, but the product itself is very capable of scaling.

The speed was fast. The quality, however, there wasn't a solution just because I think it was a bug and it was never fixed as far as I know. The speed was nice, but there was never a solution provided.

I use Splunk.

From what I understand, I'm mainly on the engineering side, not the sales side, but the pricing is very competitive. Although the pricing can be a little bit high, I know that Cribl as a product helps save a lot of money by reducing data storage. The pricing is offset by the money I save by using Cribl.

Cribl does require maintenance, especially if I'm deploying it on-premises. If I'm deploying on-premises on my machines, I've just got to make sure that they're being provisioned well, that they're being updated successfully, and that they're constantly balancing the worker processing across them.

I definitely prefer Cribl more, mainly for the UI and the preview feature that I mentioned about being able to see in real time my in and out for development. I think that speeds things up a lot.

However, I do like Splunk a lot too.

I think Splunk is better tailored for visualizations and presenting to clients, especially around metrics. I think I can do some visualizations and presentations of metrics in Cribl, but it's not as robust as Splunk.

Definitely for large corporations, they would see the most benefit, but I think small and medium businesses could also benefit as well.

We generally use Cribl for dropping or optimizing our logs and data. We optimize logs using Cribl pipelines, then we route it to Splunk. That was our primary use case.

Our primary goal with using Cribl was to reduce our Cisco firewall logs where we are dropping the logs which are not necessary in our traffic-related logs, or the logs which generally only show a connection status. Those types of logs we were dropping using Cribl.

What I like most about Cribl is the overall pipeline structure and easiness. It is very easy to use and it also provides all the necessary features which are required in data processing. We do not need to learn so many things to do complex tasks. That's what I really appreciate about it. It's doing a simple process where you just need to know about your logic and that thing may be pre-built on Cribl. Cribl provides packages and all the features.

I would say Cribl provides you the value of your money. It provides you a good user interface where you manage all your data. You don't need to worry about your backend. Specifically, I'm talking about Cribl Cloud, as I have mostly been working with Cribl Cloud. It's very cost-optimized, or I can say whatever I'm paying, I'm getting all out of that.

Overall, the pipelines and all the features are good with Cribl. The UI is good. Just sometimes, when I actually started using Cribl, I faced the issue where I was not able to connect the nodes. The pipeline is structured in a certain way, then the data will be routed to there, and something of that nature. I was very much confused about their whole products, such as Data Lake and pipelines. It's possible that at that time I didn't take any university courses, which is why I did not know much. But if they can give an intro on how we can connect nodes, or they can provide simple use cases showing what you can do with Cribl, it would help. If you just need to add the source and the destination and pre-build some proper workflow, then it will be easy for new customers to navigate through Cribl.

I have been working with Cribl for around one and a half years.

I don't feel Cribl has any issue with handling high volumes of diverse data types. We were ingesting around 10 TB of data daily, and we were reducing it to around six or five and a half terabytes. So it is pretty efficient. We have not faced any major issues with our ingestion or anything of that nature. It has the capability to catch up according to the data ingestion rate.

I have not seen any lagging, crashing, or downtime in Cribl at any particular time. But if I speak about lagging or anything, I faced some issue while capturing the log on the live source. Whenever I tried to capture the logs, I was a bit confused about whether logs are getting captured or if I was doing anything wrong. Because it does not show any error if my configuration is missing or something of that nature. Otherwise, I don't have any issue regarding Cribl performance or anything.

I don't think there is any issue regarding scalability with Cribl. As we were ingesting around 10 terabytes of data every day and it didn't affect or cause any issue on any day.

I would not say I have tried an alternative to Cribl properly. We tried to implement the same use case using Splunk Ingest Processor or Edge Processor, which is the recent product of Splunk. It is not that straightforward as Cribl. We must play in a restricted environment where we have limited support of the Splunk command. So I cannot say that it is actually similar to Cribl or something of that nature, and I have not used any others.

I was able to create one simple pipeline with Cribl which was just dropping the data in around eight to twelve hours total. In which I basically understood what routes and pipelines are. I was playing with the UI and how the functions are working, how the pipeline flows the data, how can I duplicate the data, how can I drop, how can I null queue, and things of that nature.

My use cases for Cribl include ETL: Extract, Transform, Load.

One thing that I like the most about Cribl is parsing data and parsing data sets for security. I would say automation use cases and detections are also great aspects.

My favorite feature of Cribl is that the UI is pretty intuitive, and they have a very good open-source platform.

One challenge that I find with Cribl is that it's nuanced, so if you're not familiar with how to do specific data transactions, it's going to be a difficult solution for someone to use. You have to be educated to a specific degree and understand data communication from beginning to end, alongside understanding the tool itself and how it operates; it can be confusing and challenging for some people if you don't understand how to use it.

I can't sit here and say that I've physically witnessed a decrease in firewall logs with Cribl, but certainly, there probably is one because of the way the redundancy is used for extracting that data. It should be something that's common-sensical or intuitive with the solution if you're utilizing it correctly, meaning you wouldn't upload gigabytes of duplicate telemetry.

My thoughts on Cribl's ability to contain data costs and complexity is that it's an accurate assessment, given that the person behind Cribl utilization is knowledgeable, but there is a steep learning curve. If you're a customer who has no idea how to use Cribl and just buy it hoping to solve your problems, it doesn't work that way. You must have some understanding of ETL in general or just source data, root data, and then what you're actually looking to transform. Just buying Cribl hoping it will solve all your problems is far from the truth. Although Cribl is a great product, you wouldn't give a Ferrari to your sixteen-year-old son right when they get their driver's license; that's the best analogy I can give. Cribl is a Ferrari for data analytics and monitoring, but you don't hand over the power or weaponize that tool for someone who doesn't know how to use it. A customer can definitely do all the things that Cribl claims, but it comes at a steep learning curve and that intuitive cost.

I have been using Cribl in my career for probably over seven years, maybe longer, and I can't recall the first time, but it's been years though. I would say close to a decade.

I haven't personally witnessed any instability with Cribl, and any instability I have seen was caused by user error. This means performing a function within Cribl and then getting error outputs because of something, such as how the data transaction was communicated. I have heard of an issue where too much data gets backed up, but I can't think of the specific term Cribl uses for it. Such issues are fairly common.

Cribl is good for scalability, making it a good product for any organization looking to do data transformation, whether small to medium businesses or large corporations.

I have contacted customer support for Cribl, but it wasn't for anything operational; it was for some knowledge base articles. Their customer support is extremely responsive and very communicative.

If I were to put their support on a scale from one to ten, I would probably give them an eight.

There are plenty of alternatives out there.

The closest one in terms of quality and tools that comes to mind for data management is BindPlane, but those two are not comparable. There are other solutions as well, but there's really nothing Cribl. Other solutions such as Axiom also come to mind, but again, you're talking about comparing Ferraris to Volkswagens or some other vehicle. Comparatively speaking, I can't really think of a solution that operates as well.

A capable engineer should be able to deploy Cribl with ease. As I stated before, the open-source knowledge base is extremely thorough, and one with an engineering background shouldn't have a problem standing up Cribl; it should be pretty easy. The nuance comes with doing data transformation within Cribl, using pipelines, packs, and their specific solutions, which might present a learning curve. However, standing up the solution operationally is pretty straightforward.

Regarding whether one person can do the deployment or if a team is needed, the answer isn't straightforward. In a small to medium business environment, I would say one person can do it. However, for organization-wide deployment, it depends on how efficient, effective, and optimized you want to be. You can't just respond with a direct answer; you have to ask what kind of outcomes and timelines you're looking to achieve. If you're asking me straightforwardly if one person can do it, I would say it's possible, but it's a very misleading answer.

For pricing, I would say that Cribl is pretty standard across any of these other organizations, and it's pretty comparative depending on the ingest. Some people have different licensing models, and you have to consider ingest, scale, and what you're taking in and putting out. For instance, a license for Cribl would be five hundred thousand plus your ingest costs for your datasets, such as all your syslog and your third-party data sources. That being said, there are other organizations that have different pricing models, so it's hard to do a straightforward comparison. Axiom, for example, might have an all-inclusive licensing model around two hundred fifty thousand to three hundred thousand. To do a proper comparison, you would have to look at all the caveats. Overall, the pricing model for Cribl is pretty standard and straightforward.

Cribl does require maintenance from the user. You need to ensure that you're updating, including comments, service versions, and that sort of regular operational maintenance. It depends on specific endpoints and end-of-life considerations, but the general answer would be that you definitely need to maintain Cribl. You can't just deploy it and say you're done.

I have been using Cribl for about a year in my career. As a consultant, my job nature involves working with clients and coming up with solutions. Many of my clients are interested in observability, so I evaluated Cribl as a potential tool for their needs. Cribl is a relatively new product, and I have been involved with it since last year.

What I appreciate most about Cribl is that it addresses a major gap in the market compared to the competition. Splunk is extremely expensive, and many of my clients are financial institutions, including big banks, insurance companies, and fintech payment companies in Canada. While they already have Splunk installed, it is costly and sometimes does not meet their needs. Cribl offers significant advantages because from the source, you can collect all the data you want and filter and transform it.

In recent years, many of my clients are focused on fraud prevention, AML compliance, and regulatory requirements. They have numerous MRAs that they need to remediate and show evidence for. Cribl provides better control over data sourcing and allows them to demonstrate good control of their data.

I appreciate that Cribl provides better control of data from the source, which translates to better control over the cost of data and complexity. Many of my clients have sources of data across different platforms, and Cribl allows them to manage data from all these different sources in one place.

One area for improvement would be the certification path for Cribl. I understand there is a need for higher-end certifications, but it would be beneficial to also create certifications that are more accessible for business people or consultants. The current engineer certification is quite rigorous and not easy to pass. While keeping that rigorous option, providing another option for business or consultant users to get certified would be valuable.

I have been using Cribl for about a year.

Regarding stability, I have not experienced any lagging, crashing, or downtime with Cribl.

I believe Cribl is suitable for both large corporations and the small and medium business market. Some of my clients are very large banks in Canada, including one of the largest banks in the country. However, I also work with smaller clients, such as smaller insurance companies. Cribl performs effectively across both market segments.

I have contacted technical support for issues and had a positive experience. I started by opening a ticket from their website. I have dealt with other vendor products in the past where support was unresponsive, but Cribl's support is very good. I was pleasantly surprised by their quality and speed of response. I would rank their support at an eight out of ten, though I acknowledge that I tend to be overly critical.

While I have not personally tried similar solutions, my clients have been using Splunk, which is the most comparable solution they have relied on for a long time.

I have not done an actual deployment myself, but my understanding is that the initial deployment is easy.

Regarding maintenance on the client's end, there is some administration required. Standard updates from Cribl, such as security fixes and bug fixes, are typical maintenance tasks. I would need to review the specific details to provide a more comprehensive answer about all required maintenance.

I do not know the exact pricing because as a consultant, I am not privy to the exact numbers my clients are paying. Pricing often includes deals and investments from vendors. However, based on feedback from my clients, Splunk is more expensive, and Cribl appears to be more affordable.

Regarding pricing for Cribl, I cannot speak to exact numbers because as a consultant, the clients handle the financial details. Deals between vendors like Splunk and Cribl often involve special investments, so the pricing varies. Based on what my clients have shared, Splunk is significantly more expensive, and Cribl appears to offer better value.

I contacted technical support for issues and had a very positive experience. I would give this review an overall rating of eight out of ten.

I recommend Cribl as a solution to customers who have a lot of telemetry data because it provides flexibility within data routing.

It saves us a lot of time because the auto-deploy and auto-updates from one central panel is much easier to manage. When managing deployments manually, it takes 10, 15, or 20 times more time compared to using a central management UI.

One advantage we've seen is that during customer presentations, we can ask customers which specific use case they want us to present, and then we can use Cribl AI to present that. This has enabled us to present use cases that aren't even security telemetry.

We had a use case where we didn't know how to proceed at all, so Cribl helped us 100 percent. We didn't have any knowledge going in on how to collect temperature data and harmonize it into one format when the customer wanted us to showcase different temperature scales such as Fahrenheit and Celsius, along with different decimal separators like commas and dots.

Cribl is very easy to get started with, and you can get going very quickly. It has an interface that is very user-friendly, so you can set it up and start connecting sources with consumers fairly quickly.

Cribl offers a lot of what they call packs, which are valuable resources. However, I do think you need to be a pretty technical person in order to make sense of the UI. The product is not easy to use for just anyone.

Cribl works well and is fairly easy to set up, especially with firewalls, which are one of the baseline use cases. As long as there are packs available, it's a really good product and easy to manage. However, if there are no packs and you need to code it yourself, the learning curve is a bit steep. Thankfully, Cribl AI is now available, so you can prompt inside the tool and get help on how to set up all of the different rules.

One thing I think is that Cribl is very dependent on the packs. If you don't have packs and you need to do things on your own, it's not trivial. You'll have to make a real investment in training and experimentation.

Cribl needs to think more broadly. The product really comes down to having a higher level of flexibility in data routing. You can send data to multiple destinations at the same time and you're not locked into anything.

I would like to see an investment in a broader range of use cases beyond security telemetry data. For instance, I know that the railway industry is very interested in finding data pipeline tools for the data that trains create when they're driving.

I have been using Cribl for about two years now.

Cribl is very stable and scales really well. Besides the fact that the worker nodes consume a lot of resources if you push them, it scales very well. It's easy to spin up new nodes, and they're very stable.

I think the Cribl team is awesome. In Sweden, they're really great. The cybersecurity market in Sweden isn't that big, so it's the same people working in the industry. The Cribl team in Sweden is really a great team, and it works really well with our organization.

I work with Logstash and Gigamon, which are the main two tools I've worked with. You can also do some things in the command line, but they're more efficient with how you integrate, so that's another way to do it.

Cribl feels a lot easier to use and more intuitive. It gives you more capability, and you don't have to work as hard to set things up.

Cribl is a little bit more pricey than Logstash, which is one disadvantage.

I strongly recommend doing a proof of concept to see Cribl in action and always do an ROI calculation. Don't be surprised if you save money in the end on investing in Cribl.

I work with Logstash and Gigamon, which are the main two tools I've worked with. You can also do some things in the command line, but they're more efficient with how you integrate, so that's another way to do it.

If you're very efficient in Splunk or in Sentinel, then you could argue that you don't need Cribl because you won't save that much money. However, they are two different products with their own pros and cons.

Cribl is very focused on security telemetry, but I feel their product has really good use cases for other things, such as the temperature example I referenced earlier.

Cribl is not a solution for the smallest customers because you need to have a certain throughput of volume. If you have just 200 users, then Cribl is not the appropriate tool to discuss.

The main product we work with is Cribl Stream. I would give Cribl a rating of 9 out of 10.

Cribl is used for log management and SIEM in terms of optimization of the data that we are collecting.

The flexibility that Cribl provides allows us to manage the data and work with the data effectively.

Implementing Cribl has optimized the infrastructure that we have and is improving the optimization of the services that we are providing.

Other than the Cribl module that we are using, Cribl Search has several modules, so there is room to improve that capability in Cribl.

In Cribl Search, the language and the flexibility in querying the data can be improved because it is not as good as other solutions.

Cribl Search does not currently help search data in place for investigative issues or answer questions across our data stores at this moment because we are not using it at that level yet, but hopefully in the future.

I would advise others looking to implement Cribl that if they are evolving Cribl Search, it would be very interesting to see more capability, more flexibility, and more ways to share the data similar to Splunk.

I have around three and a half years of experience working with Cribl.

Cribl's stability is an eight.

For scalability, I would rate it a ten.

I would rate the technical support as an eight.

I would compare Cribl with other solutions or vendors as mature. We have seen another solution similar but not as mature as Cribl at the moment.

I am talking about the Data Stream Processor from Splunk and also Omnium from Spain.

Cribl is easy to deploy; the team managing the deployment did not report any concerns about the complexity of the deployment of the solution.

The deployment is straightforward; it is just a matter of coordination with other teams, but everything was released in one day.

Regarding the firewall logs with Cribl, the digression of the data that we are experiencing thanks to Cribl is amazing. Although I cannot provide exact numbers, the reduction is significant.

I use Cribl Stream, Cribl Lake, and Cribl Search. My experience with Cribl Search and Cribl Lake is just initial; we are just starting to use them. Cribl Stream is the optimization we are using right now in terms of data collection and data management and is more mature.

Cribl Search has changed my approach to long-term log retention and historical investigation.

I would rate this review an eight overall.

I have used Cribl for log volume reduction with SIEM tools including Splunk, Sentinel, and Elastic. The raw logs contained a lot of noise, and Cribl helped me filter unnecessary logs, drop low-value fields, reduce repetitive logs, and remove unused attributes. I achieved 40 to 80% reduction in existing volume, which resulted in faster searches and good cost savings.

Cribl helped me route the same log streams to multiple destinations based on conditions I wanted to implement. Firewall logs were sorted with error messages. Whenever I received firewall messages, different types of traffic were allowed or denied, and there were threats from malware, scans, IPS, VPN connections, and authentication failures. I added context to the logs that was useful for SOC teams, including geo-location based on asset owners and application names. Since firewall logs were highly verbose and expensive to ingest into the SIEMs, I used Cribl to parse and transform them into structured fields, enriching the geo and asset context. I also dropped noise from the traffic we received and routed only threat and deny logs to the SIEM while storing the rest in S3 for long-term analysis.

Whenever I received high volume log metrics, Cribl proved to be the best solution. Using Cribl, I processed millions of data per second from various sources including firewalls, Kubernetes clusters, cloud platforms, and Prometheus, which is one of the primary sources from which I receive data. Cribl efficiently handles high-volume logs and metrics through horizontal scaling, easy filtering, smart sampling, metric cardinality reduction, and tiered routing. This ensures performance, cost control, and reliable observability even at massive scale. I primarily worked on the scaling part, including auto-scaling, and I also used load balancers to balance the load between worker nodes and the leader node.

Cribl reduces data complexity by normalizing log formats, handling schemas, flattening nested data, and reducing high cardinality fields. I worked with instances where I had different JSON files and set cardinality fields including request ID, session ID, and pod UID. By applying conditional parsing, flattening JSON nesting files, and removing high cardinality fields, I simplified downstream analytics and reduced ingestion cost by almost 60%. In our projects, each team works on particular domains, and I was specifically working with load balancing, auto-scaling, and routing data to destinations. Cribl is one of the most reliable solutions I have worked with, and it has provided a user-friendly experience. Whenever I wanted to access data from years back to check for seasonality impact, Cribl helped me accomplish this. I believe that if this feature works well, the other features will also work seamlessly.

Cribl is one of the best data pipelining platforms, and with all the features that have been upgraded over the past three years, it has been seamless. Although it is on an expensive side compared to competitors such as Edge Delta and many other platforms, Cribl is one of the most secured solutions. When data passes through or when I store any data in hot tier, cold tier, or archive storage, it is very easy to determine which data to keep, and the data routing process is seamless when compared to other platforms.

Regarding the UI, depending on the configuration, the home screen shows me how the system's health is, including the ingestion rates and how events are working in per second. Throughput charts are available, and errors or warnings also pop up. The UI is well-organized for me. Whenever I log into Cribl UI, I directly go to the streams to classify the incoming logs and then create a pipeline using the drag-and-drop builder. I do not need to write full code because it has drag-and-drop functions. I choose functions such as Parse, Eval, Drop, and live events preview to test against sample events. Once this is done, I assign routes to destinations. The particular destinations I worked with include Splunk and Stream. Finally, I monitor the throughput, errors, and metrics dashboard and adjust as needed. Cribl follows a very systematic approach in the UI part, and it is a hassle-free solution for developers to work on.

I have not worked with Cribl Search very much, but I have worked extensively with Cribl Stream. From my certification, I remember that Cribl Search's Search-in-Place feature allows me to query data when it is already living. Without re-ingesting data into a SIEM, I can search it through Cribl dashboards. For example, I keep data in the SIEM for 7 to 14 days, for months or years in object storage. Cribl Search allows federated on-demand logs and metrics. When platforms can access data without ingesting it directly into the SIEM, I can directly use the on-demand function, and it is mainly used for cost-effective historical search or investigations that have already been done in past years. This Cribl Search feature helps me check seasonality impact, such as comparing last year's revenue percentage to this year's revenue. This helps me make better decisions about the market. Since my client is Microsoft and I ingest heavy amounts of data every day, Cribl has been handling this very well.

To improve Cribl, I would focus on comparing performance and architecture with other tools. High volume efficiency can be made more seamless, such as improving the identification of noisy sources via metrics and sampling repetitive logs. This feature already exists, but I am talking about how to make it more efficient. I will focus on the high volume data part, reducing data complexity, making performance metrics more visible, and the dashboard can be more interactive. Integration of AI tools can be much more helpful. I am pretty sure that the developers of Cribl have been working on that and an update will come soon with AI integration. However, I need to ensure that data is secured as much as possible because data security is non-negotiable for data engineers.

Cribl is a very interactive application for me and one of my favorite applications to work on. I hope to have more opportunities to work with Cribl. The cost part is very high compared to alternatives such as Edge Delta, which offers much cheaper prices. However, price comes with a cost, and speed and security come with a price.

Integrating AI is one of the most valuable improvements. It will most likely be Copilot because I do not think OpenAI will agree to integrate with Cribl, or Cloud may also come in, but I believe Copilot will be first. Integration of Copilot will be a big advantage for everyone. I would not need to run scripts or go back to documentation to check function syntax because there are many functions I need to use in day-to-day life, and it is very hard to remember every function syntax. When I integrate AI, it will directly help me get the functions. I just need to provide the prompt needed, extract the data from the Copilot chat, and use it in my day-to-day life. My overall review rating for Cribl is 9 out of 10.

I have been working with Cribl for three years and two months.

I have faced only one or two instances with the login part, but it was due to maintenance. The Cribl platform was not accepting my credentials during that time, but it was resolved quickly. I have not come across any customer-facing issues, so I would not be able to provide additional details on that.

Whenever I received high volume log metrics consistently, Cribl proved to have the best capabilities. Using Cribl, I processed millions of data per second from various sources including firewalls, Kubernetes clusters, cloud platforms, and Prometheus, which is one of the primary sources from which I receive data. Cribl efficiently handles high-volume logs and metrics through horizontal scaling, easy filtering, smart sampling, metric cardinality reduction, and tiered routing. This ensures performance, cost control, and reliable observability even at massive scale. The primary thing I worked on is the scaling part, including auto-scaling, and I also used load balancers to balance the load between worker nodes and the leader node. Auto-scaling is available and automatically adjusts the scaling part.

I have not worked with other solutions directly, but recently I had an opportunity to speak with the Edge Delta founder who wanted me to review Edge Delta versus Cribl. In that discussion, I remembered some points such as high scalability and auto-scaling being features in Cribl and not in Edge Delta, but Edge Delta may be able to compete on price at some point. When they integrate AI, there may be some additional advantages. Since I work for my organization, the organization bears the whole cost, and I have not directly purchased Cribl software. There are some features that could be included in the basic package, similar to Power App tools in Microsoft. There are many advanced features that require paying additional fees. Some basic features could be added directly to the subscription plan rather than being offered as custom configurations or particular add-ons.

The setup was straightforward with no complexity. Every application nowadays has a seamless experience, and three years ago when I was getting into Cribl, it was already very interactive for me. One additional observation is that there are not many learning videos for Cribl on YouTube platforms or free learning platforms other than Cribl University. I think they will slowly integrate into other streaming platforms as well so that it will be more helpful for users to get into the application.

I did not require an implementation team. When I signed up with credentials, I created an account by signing up with all the details and filling out the form using Cribl's payment gateway. I followed the same process as I would for AWS or Azure. I did not use different options to buy from the Azure platform. I received the credentials directly and just logged in with them. When I was getting certification, I was redirected to their website to buy directly, not from any vendor apps.

The most talked about point for Cribl is that it is one of the most seamless applications to work on. The speed at which it processes data and handles high ingestion volumes is why it is one of the most expensive platforms. I have not worked with anything other than Cribl, so I am not able to compare. However, since my client is Microsoft and I ingest heavy amounts of data every day, Cribl has been handling this very well.

I have not worked with Cribl Search very much, but I worked extensively with Cribl Stream. From my certification, I remember that Cribl Search's Search-in-Place feature allows me to query data when it is already living. Without re-ingesting data into a SIEM, I can search it through Cribl dashboards. For example, I keep data in the SIEM for 7 to 14 days, for months or years in object storage. Cribl Search allows federated on-demand logs and metrics. When platforms can access data without ingesting it directly into the SIEM, I can directly use the on-demand function, and it is mainly used for cost-effective historical search or investigations that have already been done in past years. This Cribl Search feature helps me check seasonality impact, such as comparing last year's revenue percentage to this year's revenue. This helps me make better decisions about the market.

To improve Cribl, I would focus on comparing performance and architecture with other tools. High volume efficiency can be made more seamless, such as improving the identification of noisy sources via metrics and sampling repetitive logs. This feature already exists, but I am talking about how to make it more efficient. I will focus on the high volume data part, reducing data complexity, making performance metrics more visible, and the dashboard can be more interactive. Integration of AI tools can be much more helpful. I am pretty sure that the developers of Cribl have been working on that and an update will come soon with AI integration. However, I need to ensure that data is secured as much as possible because data security is non-negotiable for data engineers.

Cribl is a very interactive application for me and one of my favorite applications to work on. I hope to have more opportunities to work with Cribl. The cost part is very high compared to alternatives such as Edge Delta, which offers much cheaper prices. However, price comes with a cost, and speed and security come with a price.

Integrating AI is one of the most valuable improvements. It will most likely be Copilot because I do not think OpenAI will agree to integrate with Cribl, or Cloud may also come in, but I believe Copilot will be first. Integration of Copilot will be a big advantage for everyone. I would not need to run scripts or go back to documentation to check function syntax because there are many functions I need to use in day-to-day life, and it is very hard to remember every function syntax. When I integrate AI, it will directly help me get the functions. I just need to provide the prompt needed, extract the data from the Copilot chat, and use it in my day-to-day life. My overall review rating for Cribl is 9 out of 10.

My primary role involves transforming customer's DDI environments to newer environments, migrating things from legacy platforms to newer platforms. A couple of my clients had the challenge of log analysis. DDI or DNS DHCP and IPAM environment logs are quite large. When the logs need to be sent to SIEM, Splunk, or any other log analysis environment, the licensing cost is substantial. They were looking for options to leverage this and reduce log size while maintaining visibility. I came across Cribl, a beautiful product that fascinated me. I was also evaluating a couple of other products including DataDog, but Cribl fascinated me because you can customize your requirements. Based on your requirement, you can channelize the logs, make the logs available as needed, and deduplicate things. Many things can be done in Cribl environment. I worked along with the LogStream team with the clients and we set up Cribl environment to pass logs from the DDI environment to Splunk.

In my current field of DDI transformation as an enterprise architect, I have close to 22 years of IT experience working as an enterprise DDI architect.

Cribl handles high volumes of diverse data types such as logs and metrics very efficiently because the data volume is managed very efficiently. Cribl is primarily for reducing the data volume and log volume. Analytics is the area where they need to improve. When passing query logs or DNS logs, if certain malicious query patterns need to be identified or if fast-flux attacks are happening, Cribl can report that and those would be definitely a plus for them. Even if those features are there, or may not be there, I couldn't find those options in Cribl. That's one area where they need improvement. Out of the box integrations with different DDI platforms would be definitely a plus. I couldn't explore much into those areas.

What I like most about Cribl is basically two things. One is the data reduction. When passing syslogs, syslogs are huge, ranging from gigabytes to terabytes in size. When the syslogs need to go to the security operations team or security team for log analysis and event monitoring, it's a nightmare for them to analyze all the syslogs. Cribl intelligently formats them. It intelligently extracts the data from the syslogs and then reduces the size of the syslogs by almost 30 to 40 percent, which I have seen practically. It removes any null values that are not required. It strips down whatever is required and just discards whatever is not required.

Secondly, sometimes in the logs, you find some unnecessary information, such as just an IP, some site ID, or what we call the circuit ID. Cribl fetches GeoIP information or checks for the reputation of domains if DNS queries are going to certain domains. Based on RPG response policy zone files, it adds those additional fields to the log so that the logs can be enriched. When the traditional logs don't show the accurate values, this makes them more user-friendly and more user-readable format. Those are basically the two things that I appreciate about Cribl. It basically presents what is required out of a syslog output.

I have been using Cribl for somewhere around two to three years.

What I dislike about Cribl is that it represents my direct pain point. I basically do DDI migration, which is transforming a legacy architecture to a newer platform. My expertise is in Infoblox DDI. If a customer environment is running with Microsoft or some old bind Linux based DNS DHCP solution, I consult them and if they are willing to move to Infoblox DDI, I help them migrate. The only thing is when we are doing the integration of Cribl, Cribl doesn't have any out-of-box customization packs for Infoblox. Whatever is available is only in the community. I need to go through the community page, download each customization pack or many filters and check whether that filter applies or not. Nothing is out of the box from Cribl. I have sent a couple of requests to Cribl earlier. If these could be available, because Infoblox is a market leader in the DDI segment and if Cribl has a native integration with them, then putting out-of-the-box integration with Infoblox with some filter packs and customization packs would be great for Cribl LogStream.

Analytics is the area where they need to improve. When passing query logs or DNS logs, if certain malicious query patterns need to be identified or if fast-flux attacks are happening, Cribl can report that and those would definitely be a plus for them. Even if those features are there, or may not be there, I couldn't find those options in Cribl. That's one area where they need improvement. Out of the box integrations with different DDI platforms would definitely be a plus. I couldn't explore much into those areas.

I haven't used the new Search in Place technology feature of Cribl Search as of now because my recent engagement with a client where I deployed Cribl and the Cribl log analysis log channel was not there. If I get any chance to deploy for any other client, I will get through that feature.

Regarding Cribl's user interface when managing log processing tasks, the newer interface looks cool compared to the initially clumsy interface. However, those aspects can be improved. I have seen that when switching between dark theme and white theme, some text is not visible clearly in the dark theme and the graphs are very hard to read. If they could improve that, it would be great.

The initial deployment of Cribl is one area where it needs to be improved because the initial deployment takes some time. Specifically, for complex platforms such as an Infoblox DDI platform where there are no out-of-box customization packs available, you need to go through community portals and Cribl community blogs to find scripts and customization packages. It takes some time, but once that is set, it becomes easy. It's quite easy after that.

I have been using the solution for two to three years.

I haven't contacted technical support because we couldn't have gotten any outage or situations where it was not working. I just worked for in small stints for different clients, so that's why I didn't contact technical support on those things. The self-help things and documentation are really good. Cribl has certain videos available where you can go through them and get knowledge.

Cribl doesn't require any maintenance on my end because on the DDI side, no maintenance is required. When sending the log to Cribl, Cribl is passing the logs but storing them. Maintenance will be only required if it's hosted on a VM and the disk space becomes less, then you need to increase the disk space. Basically that is taken care of by the VM team. Ideally in every enterprise, the virtualization team or data center team is different. For the storage issues, they can take care of that. Cribl is just passing and storing the logs. If Cribl is passing on device, then they need bigger storage, and if the storage is becoming less, then they need to increase the storage. That is the kind of maintenance I see, not from the source side.

Cribl is definitely scalable because you get a platform which is kind of vendor-agnostic. Today, you have one platform, maybe a client is using Infoblox DDI, so they are sending the logs to Cribl. Tomorrow, if some other platform they are using for DDI, the log analysis channel or the log plane doesn't get affected with that. If tomorrow you need a little more processing or analysis, you add more instances of Cribl and that becomes scalable. You can scale it horizontally. Vertically also, you can add storage. Both ways it is scalable, horizontally and vertically.

I haven't contacted technical support because we couldn't have gotten any outage or situations where it was not working. I just worked for in small stints for different clients, so that's why I didn't contact technical support on those things. The self-help things and documentation are really good for them. Cribl has certain videos available where you can go through them and get knowledge on that.

The initial deployment of Cribl is one area where it needs to be improved because the initial deployment takes some time. Specifically, for when you have a complex platform such as an Infoblox DDI platform where there is no out-of-box customization packs available and you need to go through community portals, Cribl community blogs and find the scripts and customization packages, it takes some time. Once that is set, it becomes easy. It's quite easy after that.

One or two people can deploy Cribl. That's not a big deal. You don't need a big team to deploy it. At most I can tell two people, that's all.

I still have no idea about pricing because pricing and price point is basically determined by the customer with whom I work. It's taken by a very separate team, the finance team, and they decide on what price it should be. What I have seen in my implementation career with Cribl is that the licensing cost of Splunk is significant because Splunk is volume-based licensing. The more volume of data you are sending, the price also increases. Whatever they save from the Splunk side is ideally adjusted in Cribl pricing. It's a win-win situation from both ends. You save price from Splunk and you use Cribl and eventually you have a lower TCO, lower total cost of ownership at the end.

When I was looking for these kinds of solutions, I had come across DataDog and Kafka. Those are not easily available and cross-platform as Cribl. I couldn't explore more into those other alternatives. I got a good product and I stick with that. I didn't check for others.

Regarding firewall logs, I can't directly tell you the exact information because my firewall is not my area of expertise. I have definitely seen logs decrease in the Splunk logs for a DDI platform with Cribl. If Cribl forwards the logs of firewall to Splunk, then definitely there will be a decrease in the firewall log, but I can't tell exactly how that would be. I have given this product a rating of 9 out of 10.