From 29745cb994b78857b808fc64c8d246665456adf7 Mon Sep 17 00:00:00 2001
From: mkarlstrand-splunk
 <49571555+mkarlstrand-splunk@users.noreply.github.com>
Date: Tue, 9 Jun 2020 14:36:07 -0700
Subject: [PATCH] Update faq.md

---
 docs/faq.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/faq.md b/docs/faq.md
index cef23d3..8d6a4dd 100644
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -48,3 +48,7 @@ Layered networking shrinks the maximum UDP message which causes data loss due to
 Long lived TCP connections cause well known problems
 OpenShift doesn't actually use Podman, it uses a library to wrap OCI that Podman also uses. this wrapper around the wrapper has some shortcomings that prevent the service definitions SC4S requires.
 Basically, K8s was built for a very different set of problems than syslog
+
+## Q: If the XL reference HW can handle just under 1 TB/day how can SC4S be scaled to handle large deployments of many TB/day?
+
+A: SC4S is a distributed architecture. SC4S instances should be deployed in the same VLAN as the source devices. This means that each SC4S instance will only see a subset of the total syslog traffic in a large deployment. Even in a 100+ TB deployment the individual SC4S instances will see loads in GB/day not TB/day.