What is Expanso and how does it work?

Expanso is a managed platform for deploying intelligent data pipelines at the edge. It processes data where it's generated - reducing bandwidth, latency, and costs. You deploy lightweight agents on your infrastructure, build pipelines using our visual builder or YAML, and control everything from a central SaaS platform.

Can I run AI/ML models directly in my data pipelines?

Yes! Expanso supports running ONNX, TensorFlow Lite, and other models as native pipeline steps. Execute low-latency inference on streaming data, enrich events with model outputs (like risk scores), and make decisions at the edge without cloud round-trips.

How many pre-built components are available?

Expanso provides 200+ pre-built components including inputs (Kafka, HTTP, files), processors (transformations, filtering, PII masking, aggregations), and outputs (S3, Snowflake, Datadog, Splunk). Browse the complete catalog in our Component Reference.

Do I need to write code to build pipelines?

No - use our drag-and-drop visual pipeline builder to create sophisticated pipelines without code. For advanced use cases, you can also write pipelines in YAML or use the Bloblang transformation language for complex data mappings.

How does Expanso help with data governance and compliance?

Expanso includes built-in governance features: automatic PII detection and masking, policy enforcement at the edge, RBAC, SSO integration, and comprehensive audit trails. Mask sensitive data before it ever leaves your network.

Send K3s Logs to Multiple Destinations

Send logs to both S3 for long-term storage and Elasticsearch for real-time search using the broker output pattern.

Pipeline

input:
  subprocess:
    name: kubectl
    args:
      - logs
      - --all-containers=true
      - --prefix=true
      - --follow
      - --all-namespaces
    codec: lines
    restart_on_exit: true

pipeline:
  processors:
    - mapping: |
        root = this.parse_json().catch({
          "message": this,
          "level": "info"
        })
        root.node_id = env("NODE_ID")
        root.timestamp = now()

output:
  broker:
    pattern: fan_out
    outputs:
      # Long-term storage in S3
      - aws_s3:
          bucket: edge-k3s-logs-archive
          path: 'logs/${! env("NODE_ID") }/${! timestamp_unix() }.jsonl'
          batching:
            count: 5000
            period: 5m

      # Real-time search in Elasticsearch
      - elasticsearch_v2:
          urls: ['https://elasticsearch.company.com:9200']
          index: 'k3s-logs-${! timestamp_unix("2006-01-02") }'
          batching:
            count: 100
            period: 10s

What This Does

Fan-out pattern: Sends each log to both destinations simultaneously
S3 for archival: Large batches (5000 logs, 5 minutes) reduce API costs
Elasticsearch for search: Small batches (100 logs, 10 seconds) enable near-real-time queries
JSON parsing: Attempts to parse logs as JSON, falls back to plain text
Daily indices: Elasticsearch uses date-based indices for easier management

Fan-Out Pattern

The broker output with pattern: fan_out duplicates each log message and sends it to all configured outputs. Both outputs must succeed for the message to be acknowledged.

Different Batching Strategies

S3 batching (5000 logs / 5 minutes):

Optimized for cost (fewer API calls)
Acceptable latency for archival use case

Elasticsearch batching (100 logs / 10 seconds):

Optimized for freshness (recent logs appear quickly)
Higher API call rate acceptable for search use case

Use Cases

Compliance + operations: Store all logs in S3 for compliance, search recent logs in Elasticsearch for debugging

Cost optimization: Keep 7 days in Elasticsearch, years in S3

Disaster recovery: If Elasticsearch goes down, all logs still flow to S3

Next Steps

Filter by Log Level: Reduce volume by only sending errors to Elasticsearch
Best Practices: Learn about batching and performance tuning
Broker Output: Component reference

Pipeline​

What This Does​

Fan-Out Pattern​

Different Batching Strategies​

Use Cases​

Next Steps​