What’s the ROI of implementing Cribl Stream?

We are living in an age of explosive data growth. IDC projects that data doubles every 2 years, and IT data is not immune to this trend. With this growth come other imperatives:

• The need to share data among repositories.
• Pressure to cut the cost of data retention.
• Pressure to reduce the labor associated with reformatting log events to a consumable state for ingestion into the analysis system.

Fortunately, Cribl Stream makes it easier to stay ahead of the curve. Historically, many customers combine the analysis tier (e.g., Splunk, ElasticSearch, Kafka, HDFS) with the storage tier (system of record). However, the increasing costs and complexity of those environments prompt many businesses to explore other options to reduce the cost of analysis while maintaining the full fidelity of the captured events. Enter Stream!

This blog walks through how the Stream ROI calculator shows how you can get longer data retention without added ingestion costs. In addition, we will analyze the total cost of ownership (TCO), covering both capital and operational expenses. This blog will also look at the opportunity costs of not leveraging inline data reshaping and enrichment. Finally, we will demonstrate the validity of the analysis with a real-world case study of a 5TB/day customer.

Key Takeaways

• 3-year ROI analysis for Stream usually yielded 150% or higher returns.
• Stream plays a significant role in reducing overall TCO.
• Stream’s expected ROI “ratio” is $1-to-$2 (up to $4 in some cases).
• While calculating ROI for inline enrichment, masking, transformation, and routing, it is implicitly understood that Stream will enhance your operational efficiency and compliance posture.

Commonly Asked Questions

When Cribl engages with a customer in a discussion around ROI and TCO, a list of common questions emerges. Here they are:

Stream Use Cases:

Stream is designed to cover multiple use cases. The top use cases tend to be searchable data reduction and archival data reduction; however, many customers have other pain points and find Stream to be instrumental in addressing their needs. Here is a visual flow diagram that can help you choose how to solve some of your challenges.

Methodology

To have a defensible ROI calculation, we need the following data points collected:

• Estimated software cost (license of any infrastructure component impacted by Stream).
• Estimated hardware costs (On-prem or BYOL Cloud).
• Estimated storage costs (On-prem or BYOL Cloud).
• Estimate network costs (Cloud egress, WAN charges).
• Estimated labor costs of data reshaping.
• Estimated reductions (or reduction percentage observed during POV).

Cribl developed a comprehensive spreadsheet designed to be defensible and understandable to budget holders. Being both defensible and understandable means we have to gather as many details as possible about the existing cost of the current environment. Then, we apply the estimated Stream license cost (plus hardware implementation cost). Next, we apply the estimated reduction percentage against a 1-, 2-, or 3-year growth forecast.

The final output will measure the Return on Investment (ROI) and new Total Cost of Ownership (TCO) with a great degree of accuracy. In addition, the calculator can intelligently estimate your Splunk hardware and storage requirements based on your retention policies and type of “major” Splunk apps installed.

The diagram below shows the major cost categories we need to capture.

Case Study

This is an example of a real-world calculation from a customer with the following data points:

• 5TB/day daily ingestion.
• 7 days hot/warm retention.
• 90 days cold retention.
• 354 days of frozen (archived).
• No major Splunk apps (ES, ITISI, VMware).
• 2 syslogs, EC2 , c6g.xlarge, 24 vCPU, 12 GRAM.
• 2 HFs, EC2 , c6g.12xlarge, 48 vCPU, 64 GRAM.
• 17 IDXs, EC2 , c5a.24xlarge, 96 vCPU, 128 GRAM.
• Running Splunk in AWS cloud (BYOL model).

The following table reflects the TCO for the life cycle of Splunk (3 years). First, we show the percentage of cost reduction we achieved and then calculate the new TCO per cost category.

TCO Summary

Stream Sizing Calculation (Cost of Hardware Implementation)

Finally, we calculate the ROI in percentage and ratio. The Year 1 ROI is 299% for this customer, with a ratio of $4 gained for every $1 spent on Stream.

ROI Summary

Did I say finally? I lied. We also will produce some graphs that communicate the value of Stream. Here are some examples. This graph shows the cost of Stream (excluding implementation, which is captured in the table above) vs. savings.

This graph shows major categories of cost reductions, in dollars:

Conclusion

After examining the TCO of your current analysis system and seeing the benefits achieved in a real-world case study, it will be easy to understand why Stream is quickly becoming the fastest and hottest technology for volume reduction and events streaming. Furthermore, it will be clear that when you track all costs associated with your current logging solution, purchasing Cribl Stream becomes a no-brainer.

And even with costs aside, whether in an on-premises or cloud-based deployment, there are side benefits to Stream that are sometimes very difficult to calculate ROI for. These include:

• Routing to multiple destinations.
• Heavy Forwarder replacement.
• Better event reshaping tooling.
• Internal WAN charges reduction (greater impact in APAC & EMEA regions).
• Enhanced Splunk searching and indexing performance.
• Better compliance by using inline encryption vs. encrypting data at rest.
• Better security investigation with inline lookups (IP-to-hostname).
• Enhanced resiliency with Stream’s Persistent Queues feature.

If you’re running any of the major logging solutions today, it makes a lot of sense to evaluate Stream as your inline event processing engine. If you want to try Stream right now, launch our Sandbox to use the full version with ready-made data.

The fastest way to get started with Cribl Stream is to sign-up at Cribl.Cloud. You can process up to 1 TB of throughput per day at no cost. Sign-up and start using Stream within a few minutes.