In June 2023, Cribl and CrowdStrike expanded their partnership with CrowdStream, a cloud-hosted version of Cribl Stream that made it easier for CrowdStrike Falcon® customers to collect and route IT and security data into CrowdStrike Falcon® Next-Gen SIEM, CrowdStrike® Falcon LogScale™, and Amazon S3. CrowdStream gave security teams a simple way to normalize and filter data in flight while still taking advantage of the Falcon platform.
Over the last few years, the security market has shifted quickly. AI adoption is reshaping both enterprise operations and the threat landscape. Security teams must evolve accordingly: consolidating critical data into SIEM is no longer optional—it's essential for gaining complete visibility and responding to next-generation AI threats at machine speed.
As part of simplifying our joint portfolio and giving customers a clearer path forward, CrowdStrike has notified customers that CrowdStream will be designated end-of-life (EOL). While CrowdStream itself is winding down, Cribl and CrowdStrike remain committed to a strong integration so customers can keep sending the right data into Falcon while gaining more flexibility and control with Cribl Stream.
You’re probably reading this blog because you use CrowdStream today and want to know what’s next after receiving a Tech Alert from CrowdStrike. This blog walks through what the EOL means for your environment and how to migrate to Cribl Stream so that you’re back up and running in no time.
I’m a CrowdStream customer — what does this mean for me?
The CrowdStream EOL announcement means that:
New enterprise customers will no longer be able to purchase CrowdStream, and the product has been removed from CrowdStrike’s price list.
Existing customers should migrate to Cribl Stream or CrowdStrike Falcon® Onum before the deadlines outlined in CrowdStrike’s Tech Alert to ensure continued functionality and support.
If you have a free version of CrowdStream, you have 2 options.
Migrate to the free version of Cribl Stream following the steps below. OR Migrate to a paid version of Cribl Stream or Falcon Onum. If you’d like to migrate to a paid version of Cribl, contact sales at sales@cribl.io.
Migrate to Falcon Onum by reaching out to your CrowdStrike account team.
Customers with a paid license will be able to access CrowdStream until the end of their existing contract, at which time they will need to migrate to Cribl or Falcon Onum. Customers interested in migrating to Cribl can contact sales at sales@cribl.io.
For most customers, the migration focuses on replacing CrowdStream in the data path, while keeping existing Falcon Next-Gen SIEM and Falcon LogScale use cases intact. When you’re ready to migrate from paid or free CrowdStream to Cribl Stream, you can follow the steps as outlined in the How to Migrate to Cribl Stream section below or engage Cribl for additional guidance.
Benefits of migrating to Cribl
Migrating off CrowdStream is a chance to modernize your data pipeline, not just swap one product for another.
With Cribl Stream, you collect once and route anywhere. You can normalize, reduce, enrich, and secure data in flight, then send the right subset into Falcon Next-Gen SIEM and Falcon LogScale while also fanning traffic out to additional security tools, observability platforms, and low-cost storage. Cribl also enables you to keep a full fidelity copy of raw data in cheaper storage for long-term retention, investigations, and audit needs, with the ability to replay it to analytics tools later.
Cribl Stream is available in Free, Standard, and Enterprise tiers so you can match the deployment model to your scale and governance needs. Free is ideal for starting and testing up to 1TB/day, Standard adds more capacity and core enterprise features like external auth and support, and Enterprise unlocks more scale and advanced capabilities, like Git-based configuration management and granular RBAC/SSO.
Key benefits for CrowdStream customers:
Get access to the entire Cribl suite of products: Unlock Cribl Stream, Edge, Lake, and Search to analyze, collect, process, and route your IT and security data wherever it needs to go, while keeping it in your storage and under your control.
Bring in more telemetry: Increase your free daily ingest from 10 GB with CrowdStream to 1 TB with Cribl Stream, giving you more headroom to onboard new data sources.
Maintain control of your data: Enforce consistent data policies, standards, and formats across a much larger pool of destinations, including Falcon Next-Gen SIEM and Falcon LogScale.
Gain choice and flexibility: Route data to the analytics tooling of your choice without adding new agents or hard-wiring your architecture to a single SIEM.
How to Migrate to Cribl Stream
If you’re using the paid version of CrowdStream:
If you have any paid — Enterprise or Standard — license and would like to migrate to an Enterprise license of Cribl, reach out to the Cribl team at sales@cribl.io.
If you’re using the free version of CrowdStream:
If you have a free version of CrowdStream and would like to migrate to the free version of Cribl Stream, you have a couple options.
If you have a small collection of objects configured in Cribl Stream, each of these objects has a “Managed by JSON” object that allows you to copy and paste configs from a CrowdStream tenant to a Cribl Stream tenant. Sensitive information such as passwords or tokens may be included in these configs so handle them carefully. Objects that you may need to migrate will be Sources, Destinations, Routes, Pipelines, and Knowledge objects such as lookups, breakers, parsers, etc. Get started by creating a Cribl.Cloud account.
If you have a more complex config and are comfortable with a bit of scripting, you can use the Cribl Cloud Migration Scripts. These scripts use the Cribl REST API to export all configuration items—Packs, Pipelines, Inputs, Outputs, Routes, and Lookups—from your source organization and save them to a local directory. You can review the exported files before running the import script to recreate the configuration in your target organization. Setup requires creating a credentials file with your source and target organization API credentials, then running the export and import commands from the terminal. This approach is ideal for migrating larger or more complex environments where manual copy/paste would be time-consuming. See below for instructions.
Cribl cloud migration scripts
These scripts automate the migration of Cribl Stream (including CrowdStream) configurations between Cribl Cloud organizations using the Cribl REST API. The export script connects to your source organization and downloads all configuration items—Packs, Pipelines, Inputs, Outputs, Routes, and Lookups—saving them as JSON and .crbl files to a local directory. You can review and inspect these exported files before running the import.
The import script then reads these files and uploads them to your target organization, recreating the same configuration.
Prerequisites:
jq must be installed for JSON parsing
API credentials (Client ID and Client Secret) from both source and target Cribl Cloud organizations
Export script
Usage: ./export_cribl.sh [-f credentials_file] <worker_group>
Options:
-f FILE — Read credentials from FILE instead of prompting interactively
<worker_group> — The worker group to export (e.g., default)
Credentials file format:
SOURCE_ORG_ID=your-source-org-id
SOURCE_CLIENT_ID=your-source-client-id
SOURCE_CLIENT_SECRET=your-source-client-secret
What it exports:
Routes
Pipelines
Outputs (Destinations)
Inputs (Sources)
Lookups
Packs (as .crbl bundles and JSON metadata)
Output structure:
Configurations are saved to ./<org_id>/main/<worker_group>/ with subdirectories for each configuration type. An export_metadata.json file summarizes what was exported, and files_with_encrypted_fields.txt identifies files that may contain redacted secrets.
Import script
Usage: ./import_cribl.sh [-f credentials_file] <worker_group> <import_directory>
Options:
-f FILE — Read credentials from FILE instead of prompting interactively
<worker_group> — The target worker group (e.g., default)
<import_directory> — Path to the exported configuration directory
Credentials file format:
TARGET_ORG_ID=your-target-org-id
TARGET_CLIENT_ID=your-target-client-id
TARGET_CLIENT_SECRET=your-target-client-secret
Example: ./import_cribl.sh -f creds.env default ./flamboyant-galois-hep1c7k/main/defaultWhat to expect:
Import order: Packs → Outputs → Inputs → Pipelines → Lookups → Routes
System defaults (like devnull, main, passthru pipelines) are updated rather than recreated
Read-only inputs (CriblLogs, CriblMetrics) are automatically skipped
Existing items with the same ID are updated; new items are created
Changes are committed and deployed automatically after import
Important notes
Review before importing: Exported files are human-readable JSON. Inspect them before running the import.
Encrypted fields: Passwords, API keys, and secrets are redacted by Cribl's API (shown as ). You'll need to re-enter these values in the target environment after import.
Functions are not exported: The /functions endpoint returns built-in function types, not custom user functions—these exist by default in all environments.
Need help?
If you need additional support, Cribl offers world-class training and certifications for free and will always continue to do so. Please visit Cribl University for access to training, certifications, sandboxes, and many other learning resources, or reach out to your Cribl account team. To learn from other users, join the Cribl Community to see how folks are planning and executing their CrowdStream transitions, share patterns that work, and get answers from Cribl experts and fellow practitioners.
Closing
Migrating off CrowdStream is more than a maintenance task. It is a chance to keep Falcon at the center of your security operations while gaining the flexibility, control, and cost efficiency that come from using Cribl. By moving to Cribl Stream, you can continue sending the right data into Falcon Next-Gen SIEM and Falcon LogScale and keep full-fidelity copies of data in your own storage for future investigations and analytics.
Ready to plan your migration?
Talk with your Cribl team or reach out to schedule a short CrowdStream migration working session tailored to your environment.
If you prefer to get hands-on first, start a free deployment of Cribl Stream and follow the steps above, then use Cribl University to deepen your team’s skills with labs and certifications.
