There are at least two key factors that will determine the type of Cribl deployment in your environment:
Amount of Incoming Data: This is defined as the amount of data planned to be ingested per unit of time. E.g. How many MB/s or GB/day?
Amount of Data Processing: This is defined as the amount of processing that will happen on incoming data. E.g. Is most data passing through and just being routed? Or are there a lot of transformations, regex extractions, field encryptions? Is there a need for heavy re-serialization?
When volume is low and/or amount of processing is light, you can get started with a single instance deployment. See performance considerations. To accommodate increased load, you will need to scale up and perhaps out with multiple instances.