Independent reference. Not affiliated with Splunk, Microsoft, IBM, Elastic, Sumo Logic, LogRhythm, or any SIEM vendor.
Vendor / Cribl

Cribl pricing in 2026: Stream credits, Lake, Search, and real savings math

The independent Cribl pricing reference. Credit rates, free tier limits, tier comparison, worked savings math against Splunk ingest, and four real customer scenarios. Built from Cribl's published pricing pages and customer-reported figures. Updated June 2026.

Pricing model
Credits per GB
1 credit = $1, ingest-metered
Stream Cloud
0.32 / GB
Cloud-managed, all-in
Hybrid Workers
0.26 / GB
Self-hosted, no infra surcharge
Free tier
1 TB/day
100 edge nodes, 50 GB Lake

What Cribl is, and why it matters for SIEM cost

Cribl is a telemetry pipeline. It sits between your log sources (servers, firewalls, applications, endpoints) and your SIEM (Splunk, Sentinel, QRadar, Elastic). Logs flow into Cribl, get filtered and reshaped, then route to one or many destinations. The expensive SIEM only receives the data that matters for detection. The verbose noise goes to cheap storage or gets dropped.

This matters because SIEM pricing is overwhelmingly ingest-metered. Splunk Cloud lists at $1,800 to $3,500 per GB per year. Microsoft Sentinel runs $3.43 to $5.22 per GB. At those rates, every gigabyte of debug chatter, DNS noise, or verbose Windows event you do not actually use for detection is taxed at SIEM list prices.

Cribl charges 0.32 credits per GB at the input side (one credit equals one dollar). At 500 GB per day, that is roughly $50,000 per year. Filter even 30 percent at the Cribl layer and you have paid for Cribl twice over on the Splunk savings alone. Cribl publishes a typical 30 to 50 percent SIEM cost reduction; customer-reported outcomes consistently land in that band.

The four Cribl products

Cribl Stream

The router. Receives telemetry from forwarders or agents, applies pipelines (filter, reshape, route), and sends to one or many destinations.

0.32 credits per GB ingested (Cloud-managed). 0.26 credits per GB on Hybrid Workers (no managed infrastructure surcharge). 1 credit = $1.
Cribl Edge

Lightweight agent that runs on hosts and edge devices. Replaces Splunk Universal Forwarder, Fluentd, or Beats for many use cases.

Included with Stream. Edge node count is tier-limited (100 free, higher on Standard+).
Cribl Lake

Cribl's own cheap storage tier. Stores raw telemetry for replay, late-arriving SIEM ingest, or long-retention compliance.

50 GB free, unlimited capacity on Standard+. Per-GB rate not published publicly; contact sales.
Cribl Search

Federated query across Cribl Lake and external data stores (S3, Splunk, Elastic) without re-ingesting. Relaunched 2026 for AI workloads.

Compute-based. Included with platform tiers. Search executors are tier-limited (10 free, more on Standard+).

Tier comparison: Free, Standard, Enterprise

Free
Up to 1 TB/day
  • · 1 worker group, 10 worker processes
  • · 100 edge nodes
  • · 50 GB Lake capacity
  • · Community support
$0
Standard
Up to 5 TB/day
  • · Credit-based, more flexible
  • · Higher edge node limits
  • · Unlimited Lake capacity
  • · 8x5 support, Git backup, notifications
From ~$50K/yr at 500 GB/day
Enterprise
Unlimited TB/day
  • · Multiple workspaces, federated auth
  • · Connected environments, RBAC
  • · Unlimited Lake capacity
  • · Dedicated 24x7 support team
Custom (typically $100K-$1M+/yr)

Source: cribl.io/pricing/plan. Daily volume limits and feature splits published by Cribl. Annual dollar figures triangulated from customer reports and Cribl pricing blog posts.

The Splunk savings math, worked

Before Cribl
Splunk ingest: 500 GB/day
Splunk list rate: $1,800/GB/yr
Annual Splunk cost: $900,000
After Cribl
Cribl filters 40% noise, Splunk ingest: 300 GB/day
New Splunk cost: $540,000/yr
Cribl Stream Cloud (500 GB/day in): $50,000/yr
Total spend: $590,000
Net savings: $310,000/yr (34%)

Filter ratio (40 percent) reflects Cribl's published typical-customer outcome. Actual ratios vary by data sources; most environments find 30-50 percent of ingest is detection-irrelevant (verbose Windows events, DNS chatter, debug streams) and safely droppable or routable to cheap storage.

Real-world Cribl cost scenarios

ScenarioProfileCribl costSplunk beforeSplunk afterNotes
SMB / startupUnder 1 TB/day ingest, single team, basic routingFree tier ($0)N/A or $20K-$80K30-40% lower if Splunk in mixFree tier covers most small environments fully
Mid-market500 GB/day total ingest, Splunk + S3 destinations$50K/yr Stream Cloud$900K/yr at $1,800/GB$540K/yr (filtered to 300 GB/day)Net savings ~$310K/yr (34%) after Cribl licence
Enterprise1 TB/day, multi-destination, ES + ITSI on Splunk$84K/yr Stream Cloud$1.8M-$2.4M/yr$1.1M-$1.4M/yr (40% reduction)Cribl pays back in ~5-7 weeks at this scale
Large enterprise / MSSP5+ TB/day, multi-tenant, dedicated worker fleets$300K-$800K/yr custom EA$8M-$15M/yr$4M-$8M/yrHybrid Workers (0.26 credits/GB) often cheaper than Cloud at this scale

Splunk costs assume $1,800/GB/yr Cloud list. Actual customer spend depends on EA discounts, Cloud vs Enterprise, retention, and premium app stack. Cribl figures from cribl.io published rates and customer-reported deal sizes.

When Cribl is the right call, and when it is not

Cribl is the right call when
  • + Splunk bill above $300K/yr
  • + Multiple destinations needed (SIEM + data lake + analytics)
  • + 30%+ of ingest is detection-irrelevant noise
  • + Migrating SIEMs and need to dual-route during transition
  • + Compliance retention without paying SIEM hot-tier rates
Cribl is overkill when
  • - SIEM bill is under $100K/yr (the math does not work)
  • - Single destination, simple log flow
  • - Already on Sentinel with Microsoft 365 source data (free ingest)
  • - No engineering capacity to design pipelines properly
  • - Below 200 GB/day total ingest
FAQ

Common questions

Is Cribl a SIEM?

No. Cribl is a telemetry pipeline (Stream), edge agent (Edge), data lake (Lake), and federated search (Search) platform. It sits between log sources and SIEMs like Splunk, Sentinel, or QRadar, filtering and routing data to reduce SIEM ingest costs. Cribl Search, relaunched in 2026, queries data without re-ingesting into a SIEM, which moves Cribl closer to SIEM-adjacent territory, but it is not marketed or sold as a primary SIEM.

How much does Cribl cost per GB?

Cribl Stream Cloud-managed runs 0.32 credits per GB ingested. Hybrid Workers (where you run the worker infrastructure on your own cloud or hardware) run 0.26 credits per GB. One credit equals one US dollar. At 500 GB per day, expect approximately $50,000 per year on Cloud-managed Stream. At 1 TB per day, expect roughly $84,000 per year. Lake and Search pricing are not publicly listed.

How much can Cribl save on a Splunk bill?

Cribl publishes 30 to 50 percent SIEM cost reduction as a typical customer outcome. Worked example: a 500 GB per day Splunk environment at $1,800 per GB per year costs $900,000 annually. Filtering 40 percent of low-value data at the Cribl layer reduces Splunk ingest to 300 GB per day, dropping the Splunk bill to $540,000. Cribl Stream Cloud at 500 GB per day input is approximately $50,000 per year. Net savings: $310,000 per year (34 percent), after paying for Cribl.

Free tier or paid?

The Cribl free tier handles up to 1 TB per day ingest, one worker group, 100 edge nodes, and 50 GB of Lake storage. For small and mid environments this is genuinely usable, not just a demo. Above 1 TB per day, the Standard tier opens up the full credit-based consumption model with 8x5 support, Git backup, and notifications.

Cribl Stream Cloud or self-hosted Hybrid Workers?

Cloud-managed Stream is operationally simpler: Cribl provisions and runs the worker infrastructure for you. Hybrid Workers run on your AWS, GCP, Azure, or on-prem infrastructure and are billed at 0.26 credits per GB ingest with no infrastructure surcharge. For environments above roughly 2 TB per day, Hybrid Workers typically save 15 to 25 percent net even after your own infrastructure cost. Below that, Cloud-managed is usually the right call.

Is Cribl's pricing publicly listed?

Partially. Cribl publishes the credit rate per GB for Stream Cloud-managed and Hybrid Workers, the free tier limits, and the high-level Standard vs Enterprise feature split. Cribl does not publicly publish per-GB Lake storage rates, per-compute Search rates, or minimum Enterprise commits. Anything above Standard tier requires a sales conversation.
Continue reading

Related cost references

Splunk pricing
What Cribl typically saves you from
Microsoft Sentinel pricing
Where Cribl matters less (free MSFT ingest)
Pricing models explained
Why ingest pricing is the lever
Hidden SIEM costs
What ingest filtering does not solve
SIEM cost optimisation
Run the calculator

Updated 2 May 2026