Cribl Undercuts Splunk Ingest Economics
Cribl: the $120M/year Ramp of data observability
Cribl wins by making Splunk less profitable before it tries to replace Splunk outright. Splunk’s core engine was built to charge more as customers sent in more log data, so Cribl inserted itself one step upstream, where teams can filter, sample, redact, and reroute logs before they ever hit Splunk. That turns runaway ingest growth from Splunk’s revenue driver into Cribl’s wedge, with large savings that make adoption easy to justify.
-
The workflow is concrete. An operations or security team sends raw logs into Cribl Stream first, removes low value fields and duplicate events, then forwards only the useful portion into Splunk or another tool. In the 2024 Cribl update, a 5TB per day deployment is priced around $500K per year and framed as saving about $4M per year in Splunk spend.
-
This is classic counter positioning. Splunk cannot fully embrace aggressive data reduction without undercutting the ingest based economics that built its business. That strategic opening is why Splunk shipped Ingest Actions, which lets users filter and route data before indexing, and why Datadog bought Timber Technologies to bring Vector, a vendor agnostic observability pipeline, into its stack.
-
Once Cribl becomes the router, it can expand like Segment did in customer data. The company has added Cribl Search, Cribl Edge, and later Cribl Lake, moving from cost control into search and storage. That makes Cribl harder to rip out, raises spend per customer, and shifts it from a tool that saves money on another vendor to a system of record for telemetry flow.
The next phase is for observability and security vendors to fight for control of the pipe before data lands in expensive indexes and data lakes. Cribl is well positioned because the upstream router increasingly decides what gets stored, what gets searched, and which downstream vendors receive the data at all. That is where budget control turns into platform power.