LogStream Cloud provides a simple, secure way to manage globally distributed observability LEARN MORE

What’s the ROI of implementing Cribl LogStream?

Mo Hassan
Written by Mo Hassan

September 21, 2021

We are living in an age of explosive data growth. IDC projects that data doubles every 2 years, and IT data is not immune to this trend. With this growth come other imperatives:

  • The need to share data among repositories.
  • Pressure to cut the cost of data retention.
  • Pressure to reduce the labor associated with reformatting log events to a consumable state for ingestion into the analysis system.

Fortunately, Cribl LogStream makes it easier to stay ahead of the curve. Historically, many customers combine the analysis tier (e.g., Splunk, ElasticSearch, Kafka, HDFS) with the storage tier (system of record). However, the increasing costs and complexity of those environments prompt many businesses to explore other options to reduce the cost of analysis while maintaining the full fidelity of the captured events. Enter LogStream!

This blog walks through how the LogStream ROI calculator shows how you can get longer data retention without added ingestion costs. In addition, we will analyze the total cost of ownership (TCO), covering both capital and operational expenses. This blog will also look at the opportunity costs of not leveraging inline data reshaping and enrichment. Finally, we will demonstrate the validity of the analysis with a real-world case study of a 5TB/day customer.

Key Takeaways

  • 3-year ROI analysis for LogStream usually yielded 150% or higher returns.
  • LogStream plays a significant role in reducing overall TCO.
  • LogStream’s expected ROI “ratio” is $1-to-$2 (up to $4 in some cases).
  • While calculating ROI for inline enrichment, masking, transformation, and routing, it is implicitly understood that LogStream will enhance your operational efficiency and compliance posture.

Commonly Asked Questions

When Cribl engages with a customer in a discussion around ROI and TCO, a list of common questions emerges. Here they are:

LogStream Use Cases:

LogStream is designed to cover multiple use cases. The top use cases tend to be searchable data reduction and archival data reduction; however, many customers have other pain points and find LogStream to be instrumental in addressing their needs. Here is a visual flow diagram that can help you choose how to solve some of your challenges.

Methodology

To have a defensible ROI calculation, we need the following data points collected:

  • Estimated software cost (license of any infrastructure component impacted by LogStream).
  • Estimated hardware costs (On-prem or BYOL Cloud).
  • Estimated storage costs (On-prem or BYOL Cloud).
  • Estimate network costs (Cloud egress, WAN charges).
  • Estimated labor costs of data reshaping.
  • Estimated reductions (or reduction percentage observed during POV).

Cribl developed a comprehensive spreadsheet designed to be defensible and understandable to budget holders. Being both defensible and understandable means we have to gather as many details as possible about the existing cost of the current environment. Then, we apply the estimated LogStream license cost (plus hardware implementation cost). Next, we apply the estimated reduction percentage against a 1-, 2-, or 3-year growth forecast.

The final output will measure the Return on Investment (ROI) and new Total Cost of Ownership (TCO) with a great degree of accuracy. In addition, the calculator can intelligently estimate your Splunk hardware and storage requirements based on your retention policies and type of “major” Splunk apps installed.

The diagram below shows the major cost categories we need to capture.

Case Study

This is an example of a real-world calculation from a customer with the following data points:

  • 5TB/day daily ingestion.
  • 7 days hot/warm retention.
  • 90 days cold retention.
  • 354 days of frozen (archived).
  • No major Splunk apps (ES, ITISI, VMware).
  • 2 syslogs, EC2 , c6g.xlarge, 24 vCPU, 12 GRAM.
  • 2 HFs, EC2 , c6g.12xlarge, 48 vCPU, 64 GRAM.
  • 17 IDXs, EC2 , c5a.24xlarge, 96 vCPU, 128 GRAM.
  • Running Splunk in AWS cloud (BYOL model).

The following table reflects the TCO for the life cycle of Splunk (3 years). First, we show the percentage of cost reduction we achieved and then calculate the new TCO per cost category.

TCO Summary

LogStream Sizing Calculation (Cost of Hardware Implementation)

Finally, we calculate the ROI in percentage and ratio. The Year 1 ROI is 299% for this customer, with a ratio of $4 gained for every $1 spent on LogStream.

ROI Summary

Did I say finally? I lied. We also will produce some graphs that communicate the value of LogStream. Here are some examples. This graph shows the cost of LogStream (excluding implementation, which is captured in the table above) vs. savings.

This graph shows major categories of cost reductions, in dollars:

Conclusion

After examining the TCO of your current analysis system and seeing the benefits achieved in a real-world case study, it will be easy to understand why LogStream is quickly becoming the fastest and hottest technology for volume reduction and events streaming. Furthermore, it will be clear that when you track all costs associated with your current logging solution, purchasing Cribl LogStream becomes a no-brainer.

And even with costs aside, whether in an on-premises or cloud-based deployment, there are side benefits to LogStream that are sometimes very difficult to calculate ROI for. These include:

  • Routing to multiple destinations.
  • Heavy Forwarder replacement.
  • Better event reshaping tooling.
  • Internal WAN charges reduction (greater impact in APAC & EMEA regions).
  • Enhanced Splunk searching and indexing performance.
  • Better compliance by using inline encryption vs. encrypting data at rest.
  • Better security investigation with inline lookups (IP-to-hostname).
  • Enhanced resiliency with LogStream’s Persistent Queues feature.

If you’re running any of the major logging solutions today, it makes a lot of sense to evaluate LogStream as your inline event processing engine. If you want to try LogStream right now, launch our Sandbox to use the full version with ready-made data.

The fastest way to get started with Cribl LogStream is to sign-up at Cribl.Cloud. You can process up to 1 TB of throughput per day at no cost. Sign-up and start using LogStream within a few minutes.

Questions about our technology? We’d love to chat with you.