What is Expanso and how does it work?

Expanso is a managed platform for deploying intelligent data pipelines at the edge. It processes data where it's generated - reducing bandwidth, latency, and costs. You deploy lightweight agents on your infrastructure, build pipelines using our visual builder or YAML, and control everything from a central SaaS platform.

Can I run AI/ML models directly in my data pipelines?

Yes! Expanso supports running ONNX, TensorFlow Lite, and other models as native pipeline steps. Execute low-latency inference on streaming data, enrich events with model outputs (like risk scores), and make decisions at the edge without cloud round-trips.

How many pre-built components are available?

Expanso provides 200+ pre-built components including inputs (Kafka, HTTP, files), processors (transformations, filtering, PII masking, aggregations), and outputs (S3, Snowflake, Datadog, Splunk). Browse the complete catalog in our Component Reference.

Do I need to write code to build pipelines?

No - use our drag-and-drop visual pipeline builder to create sophisticated pipelines without code. For advanced use cases, you can also write pipelines in YAML or use the Bloblang transformation language for complex data mappings.

How does Expanso help with data governance and compliance?

Expanso includes built-in governance features: automatic PII detection and masking, policy enforcement at the edge, RBAC, SSO integration, and comprehensive audit trails. Mask sensitive data before it ever leaves your network.

Filter K3s Logs by Level

Reduce log volume and storage costs by filtering to only ERROR and WARN level logs.

Pipeline

input:
  subprocess:
    name: kubectl
    args:
      - logs
      - --all-containers=true
      - --prefix=true
      - --follow
      - --all-namespaces
    codec: lines
    restart_on_exit: true

pipeline:
  processors:
    - mapping: |
        # Parse JSON logs if possible
        root = this.parse_json().catch({
          "message": this,
          "level": "info"
        })
        root.timestamp = now()
        root.node_id = env("NODE_ID")

    # Only keep ERROR and WARN logs
    - switch:
        cases:
          - check: |
              this.level.lowercase().contains_any(["error", "warn", "fatal"])
            processors:
              - mapping: 'root = this'

output:
  aws_s3:
    bucket: edge-k3s-errors
    path: 'errors/${! env("NODE_ID") }/${! timestamp_unix() }.json'
    batching:
      count: 100
      period: 1m

What This Does

Parses JSON logs: Attempts to extract level field from JSON-formatted logs
Filters by level: Only passes through logs containing "error", "warn", or "fatal"
Drops other logs: INFO and DEBUG logs are discarded
Smaller batches: 100 logs since error volume is much lower

Volume Reduction

Typical production applications generate:

90% INFO logs
8% DEBUG logs
2% WARN/ERROR/FATAL logs

This filter reduces log volume by ~90% while retaining all error information.

Handling Non-JSON Logs

The parse_json().catch() pattern handles both JSON and plain text logs:

JSON log (parsed):

{"level": "ERROR", "message": "Database connection failed"}

Plain text log (fallback):

[2024-11-09] ERROR: Database connection failed

For plain text logs, the default level is "info", so they're filtered out unless they contain error keywords in the message.

Keyword Matching

The filter uses contains_any() to match multiple error levels:

this.level.lowercase().contains_any(["error", "warn", "fatal"])

Matches: error, Error, ERROR, warning, WARN, fatal, FATAL

Cost Impact

Before filtering (10,000 logs/minute):

S3 storage: ~50 GB/day
Elasticsearch: ~150 GB/month

After filtering (1,000 logs/minute):

S3 storage: ~5 GB/day
Elasticsearch: ~15 GB/month

Savings: ~90% reduction in storage and processing costs

Next Steps

Multiple Destinations: Send filtered logs to multiple systems
Best Practices: Learn about efficient filtering strategies
Switch Processor: Component reference

Pipeline​

What This Does​

Volume Reduction​

Handling Non-JSON Logs​

Keyword Matching​

Cost Impact​

Next Steps​