What is Expanso and how does it work?

Expanso is a managed platform for deploying intelligent data pipelines at the edge. It processes data where it's generated - reducing bandwidth, latency, and costs. You deploy lightweight agents on your infrastructure, build pipelines using our visual builder or YAML, and control everything from a central SaaS platform.

Can I run AI/ML models directly in my data pipelines?

Yes! Expanso supports running ONNX, TensorFlow Lite, and other models as native pipeline steps. Execute low-latency inference on streaming data, enrich events with model outputs (like risk scores), and make decisions at the edge without cloud round-trips.

How many pre-built components are available?

Expanso provides 200+ pre-built components including inputs (Kafka, HTTP, files), processors (transformations, filtering, PII masking, aggregations), and outputs (S3, Snowflake, Datadog, Splunk). Browse the complete catalog in our Component Reference.

Do I need to write code to build pipelines?

No - use our drag-and-drop visual pipeline builder to create sophisticated pipelines without code. For advanced use cases, you can also write pipelines in YAML or use the Bloblang transformation language for complex data mappings.

How does Expanso help with data governance and compliance?

Expanso includes built-in governance features: automatic PII detection and masking, policy enforcement at the edge, RBAC, SSO integration, and comprehensive audit trails. Mask sensitive data before it ever leaves your network.

Collect Specific Application Logs

Focus on logs from specific applications using namespace and label selectors.

Pipeline

input:
  subprocess:
    name: oc
    args:
      - logs
      - --namespace=production
      - --all-containers=true
      - --prefix=true
      - --follow
      - --selector=app=point-of-sale
    codec: lines
    restart_on_exit: true

pipeline:
  processors:
    - mapping: |
        # Parse and structure logs
        root = this.parse_json().catch({
          "message": this,
          "level": "info"
        })
        root.cluster = env("CLUSTER_NAME")
        root.location = env("LOCATION")
        root.app = "point-of-sale"
        root.timestamp = now()

output:
  broker:
    pattern: fan_out
    outputs:
      # Real-time to Elasticsearch
      - elasticsearch_v2:
          urls: ['https://elasticsearch.company.com:9200']
          index: 'sno-pos-logs-${! timestamp_unix("2006-01-02") }'
          batching:
            count: 100
            period: 10s

      # Archive to S3
      - aws_s3:
          bucket: sno-app-logs
          path: 'pos/${! env("CLUSTER_NAME") }/${! timestamp_unix() }.jsonl'
          batching:
            count: 5000
            period: 10m

What This Does

Namespace filtering: Only collects from production namespace
Label selector: Only pods with app=point-of-sale label
JSON parsing: Attempts to parse structured logs, falls back to plain text
Dual destination: Real-time search in Elasticsearch, long-term archive in S3
Different batching: Fast (10s) for Elasticsearch, slower (10m) for S3

Label Selectors

Single label:

--selector=app=point-of-sale

Multiple labels (AND):

--selector=app=point-of-sale,tier=frontend

Multiple values (OR):

--selector=app in (point-of-sale,inventory)

Exclude labels:

--selector=app=point-of-sale,tier!=backend

Use Cases

Production monitoring: Only collect production app logs, ignore dev/test

Specific application: Focus on critical business application (POS, inventory, etc.)

Multi-tenant: Separate pipelines per tenant/customer namespace

Compliance: Collect logs only from applications with compliance requirements

Multiple Application Pipelines

Run separate pipelines for different applications:

pos-logs.yaml:

input:
  subprocess:
    name: oc
    args: [logs, --namespace=production, --selector=app=point-of-sale, --follow]
output:
  aws_s3:
    bucket: pos-logs

inventory-logs.yaml:

input:
  subprocess:
    name: oc
    args: [logs, --namespace=production, --selector=app=inventory, --follow]
output:
  aws_s3:
    bucket: inventory-logs

Dynamic Configuration

Use environment variables for flexible deployment:

input:
  subprocess:
    name: oc
    args:
      - logs
      - --namespace=${NAMESPACE}
      - --selector=${LABEL_SELECTOR}
      - --follow

Set per deployment:

export NAMESPACE=production
export LABEL_SELECTOR="app=point-of-sale"

Next Steps

Collect Logs: Collect from all namespaces
Offline-Resilient: Add buffering for application logs
Best Practices: Optimize for SNO environments

Pipeline​

What This Does​

Label Selectors​

Use Cases​

Multiple Application Pipelines​

Dynamic Configuration​

Next Steps​