There are at least two key factors that will determine the type of Cribl LogStream deployment in your environment:
Amount of Incoming Data: This is defined as the amount of data planned to be ingested per unit of time. E.g. How many MB/s or GB/day?
Amount of Data Processing: This is defined as the amount of processing that will happen on incoming data. E.g., is most data passing through and just being routed? Or are there a lot of transformations, regex extractions, field encryptions? Is there a need for heavy re-serialization?
When volume is low and/or amount of processing is light, you can get started with a single instance deployment.
To accommodate increased load, we recommend scaling up and perhaps out with multiple instances.
Cribl App for Splunk Deprecation Notice
Updated about a month ago