Skip to main content

So, this question has been bothering me for quite some time now. While I am a big fan of Cribl and I really enjoy working with their products and showing/explaining them to others I still wonder every now and then what value Stream would provide to a customer, who already has a well-maintained and functioning logstash for routing/transforming data.

If I think about it the following points come to my mind, but if someone here has more/different reasons I would be glad to hear them!

  • Stream's replay function
  • Scalability
    • Logstash works as a single instance, Cribl can be clustered to infinity
  • Stream is easier to maintain
    • No grepping around in config files for that one transformation command you need to change
    • Pipelines are easier to understand/maintain than logstash files
    • Less complex to get started with for new users/admins
  • Visualization of data flows
  • "Debuggability"
    • Being able to look into arriving/leaving data from within the tool without having to restart anything or using tcpdump is incredibly helpful
  • (My favourite point) Speed of Development
    • Capturing real log data and storing it for future use to replay over and over again to improve a pipeline was such a game changer to me.
    • Being able to see the changes you make to data through pipelines in real-time, without having to restart agents
Be the first to reply!

Overall, I would go after these use cases:
Build configurations manually (logstash) vs out of the box solution (Cribl)
Reduction use cases (Suppress, Sample, Drop, log to metrics)
Replay historical data
Enrich with Lookup
Reshape for Elastic SIEM

https://www.elastic.co/blog/elastic-cribl-migrate-siem
https://cribl.io/customers/sally-beauty/
https://cribl.io/blog/cribl-logstream-7x-more-efficient-than-logstash-and-fluentd/

Reply


Terms & ConditionsCookie settings