Case Study

Swisslos Leverages Cribl Stream and Edge to Optimize Kubernetes and Enhance Splunk Performance

star-round-framed
Highlights
Curious + Community
Practical Application for the Sampling Function: ITOps and Kubernetes
Learn how Cribl Edge is the perfect solution for monitoring Kubernetes data.

“THE PRICING IS VERY ATTRACTIVE, AND THE RETURN ON INVESTMENT WAS REALLY FAST. IT MADE A MEASURABLE DIFFERENCE WITHIN A COUPLE OF WEEKS.”

JORIS VUFFRAY,
HEAD OF NETWORK & SYSTEM MANAGEMENT

“DEPLOYING AN APPLICATION IN A TESTING ENVIRONMENT USED TO GENERATE HUNDREDS OF GBS IN 15 MINUTES. WE CAN NOW SAMPLE IT IN A COUPLE OF SECONDS TO MAKE SURE WE'RE STILL COMPLIANT WITH OUR SPLUNK LICENSE.”

JORIS VUFFRAY,
HEAD OF NETWORK & SYSTEM MANAGEMENT

Share:

Swisslos is a Swiss lottery company that offers lotteries, sports bets, and instant tickets in Switzerland. A growing number of sports bets and live events has been increasing their data volumes to keep the platform performant–and increasing their daily profit, which is now up to $1.3 million daily.

An enormous amount of data is generated from all the physical and online stores selling Swisslos’ offerings. A few years ago, the team switched to Kubernetes services to help automate the deployment, load balancing and scaling of their containerized applications. It helped to automate the IT team’s workload, but soon the team at Swisslos noticed that the number of logs generated each day—primarily from web application firewalls (WAF) and other critical applications-was growing at an unsustainable rate. The team needed to come up with a strategy to keep pace with rapid data growth while staying lean as a team and keeping costs for tools relatively flat.

Swisslos decided to bring in Cribl Stream to tackle the challenges posed by the increasing volume and fidelity of logging infrastructure.

Easy Management of and Reduction of Splunk License

With the increase in log volume and variety also came more complicated logs and several formatted in JSON— all of which took up valuable space in Swisslos’s Splunk license. Most of the logs and the information within them weren’t useful, so reducing unnecessary data was the first thing the team focused on.

Cribl Stream enabled them to filter their data effectively and store only what was necessary, helping to optimize their log storage and usage.

“By using Cribl Stream, we were able to reduce the growth of our Kubernetes cluster by 35% — and we reduced our web application firewall and web logs by over 50%.”

In addition to reducing that data, Joris and his team also use Cribl’s sampling feature, which allows them to bring in just enough data that their analysis remains statistically significant. This way, they can do any necessary troubleshooting from a small portion of data that is representative of the entire pool that was generated.
Increased Spunk Performance

Joris is making use of Cribl Stream’s enrichment capabilities as well, using lookups to do things like changing product IDs to product names. They also have an easier time adding GeoIP information using Cribl Stream instead of Splunk.

With less data overloading the application and better quality data going into it, Joris has noticed a huge improvement in Splunk’s performance.

“Everything we're doing now in Cribl was done on the indexer or heavy forwarder before, so those parts of the Splunk installation have much less to do. Cribl helped us to significantly increase the performance of Splunk.”

Easy Access to Live Data In Real Time
The team at Swisslos was pleasantly surprised at how fast it was to set up and install Cribl Stream.

“We had Cribl Stream up and running within a few hours, and there was essentially no learning curve. In Splunk, we had to be creative and use some tricks to do everything we needed. It’s the opposite with Cribl.”

To see live data in Splunk, they had to change configs and restart it every time they wanted to see those changes. With Cribl, they’re able to see changes in real time.

“The most important benefit from Cribl is being able to see live data and the impact changes will have on the data in real time. The integrated change tracking is also pretty cool.”

Less Time Spent on Admin Work

One of the benefits of making these kinds of changes so quickly is that system admins get time back in their day. The added flexibility is having a big impact on the organization.

“Our admins can do their work 3-5 times faster with Cribl. We can provide solutions for test or dev teams easier than before, when we had to check configurations and restart the Splunk installation every time we made big changes.”

Increased Visibility Into Kubernetes
Before implementing Cribl Stream, Swisslos struggled with managing the vast amount of data that needed to be logged out of their Kubernetes cluster. Keeping all of their data in the same place made security monitoring difficult, and they were looking for an easier way to route data to specific indexes within Splunk. Cribl gives them the ability to route and retain data in different indexes with specific time retention to speed security investigations, and optimize the teams’ time.

“In Splunk, we had to use loads of regexes to rewrite formats, source types, and indexes. We can do this live in Cribl and send it to Splunk very easily, already sorted and routed to the right index or source type.”

Faster Incident Response Times
Swisslos can also respond faster to security incidents since making Cribl Stream a part of their infrastructure. They resolved a recent security issue in a fraction of the usual time with the help of Cribl Stream. They could quickly isolate the data necessary for the investigation and because it was already enriched, searches populate faster helping analysts to reduce mean time to remediation (MTTR).

“It only took a few minutes to gather the information we needed to respond to the security attack. We took care of it on the phone in one afternoon, when normally it would have taken two weeks. We just took care of it.”

Staying Ahead of Regulatory Requirements
GDPR compliance regulations aren’t as strict in Switzerland as they are in the rest of the EU, but since Swisslos has customers in Lichtenstein, they do have some compliance requirements they need to follow. They’ve also begun experimenting with Stream’s encryption and masking capabilities to prepare for the inevitable, stricter regulations that are on the way.

“When it comes to regulations, we don’t always know what will be required in the future. But with Cribl Stream in place, I don't really have to worry about it. My management can just tell me what information needs to be masked or encrypted, and it will be done in a few clicks.”

Using Cribl Edge to Pull Data From Kubernetes
Swisslos is also using Cribl Edge, so they won’t have to rely on using Fluentd to gather data from Kubernetes. Edge offers automatic discovery of host, container, and application data on endpoints and gives users extra processing power with its functions and pipelines. The UI allows you to explore, preview, and build configs before forwarding data to any of the many supported destinations. Compared to Fluentd, not only is the combination of Cribl Edge and Stream faster and easier to use, it’s also turnkey–significantly reducing the long term build and maintenance workload for the team.

“We have Cribl Edge installed on all of our test Kubernetes nodes to gather logs and metrics. So far, it’s already a lot easier than deploying the Splunk forwarder. It deploys in five minutes, and then it’s done.”

TL;DR

About Cribl

Cribl makes open observability a reality for today’s tech professionals. The Cribl product suite defies data gravity with radical levels of choice and control. Wherever the data comes from, wherever it needs to go, Cribl delivers the freedom and flexibility to make choices, not compromises. It’s enterprise software that doesn’t suck, enables tech professionals to do what they need to do, and gives them the ability to say “Yes.” With Cribl, companies have the power to control their data, get more out of existing investments, and shape the observability future. Founded in 2017, Cribl is a remote-first company with an office in San Francisco, CA. For more information, visit cribl.io or our LinkedIn, Twitter, or Slack community.
Pixel Mask

So you're rockin' Internet Explorer!

Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari

Got one of those handy?