{"id":31816719,"url":"https://github.com/splunk/splunk-connect-for-kubernetes","last_synced_at":"2025-10-11T09:57:57.370Z","repository":{"id":38554286,"uuid":"120873030","full_name":"splunk/splunk-connect-for-kubernetes","owner":"splunk","description":"Helm charts associated with kubernetes plug-ins","archived":false,"fork":false,"pushed_at":"2024-01-10T01:16:56.000Z","size":1762,"stargazers_count":341,"open_issues_count":14,"forks_count":268,"subscribers_count":49,"default_branch":"develop","last_synced_at":"2024-04-15T02:58:42.075Z","etag":null,"topics":["chart","helm","helm-chart","kubernetes","splunk"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/splunk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-02-09T07:33:58.000Z","updated_at":"2024-03-22T01:34:24.000Z","dependencies_parsed_at":"2023-02-13T19:05:20.219Z","dependency_job_id":null,"html_url":"https://github.com/splunk/splunk-connect-for-kubernetes","commit_stats":null,"previous_names":[],"tags_count":29,"template":false,"template_full_name":null,"purl":"pkg:github/splunk/splunk-connect-for-kubernetes","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fsplunk-connect-for-kubernetes","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fsplunk-connect-for-kubernetes/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fsplunk-connect-for-kubernetes/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fsplunk-connect-for-kubernetes/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/splunk","download_url":"https://codeload.github.com/splunk/splunk-connect-for-kubernetes/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fsplunk-connect-for-kubernetes/sbom","scorecard":{"id":841883,"data":{"date":"2025-08-11","repo":{"name":"github.com/splunk/splunk-connect-for-kubernetes","commit":"bbeefe1886c7e0f5351648993bce68ae93aff3ab"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.4,"checks":[{"name":"Code-Review","score":5,"reason":"Found 15/29 approved changesets -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci_build_test.yaml:1","Warn: no topLevel permission defined: .github/workflows/stale.yaml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci_build_test.yaml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/splunk/splunk-connect-for-kubernetes/ci_build_test.yaml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci_build_test.yaml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/splunk/splunk-connect-for-kubernetes/ci_build_test.yaml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci_build_test.yaml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/splunk/splunk-connect-for-kubernetes/ci_build_test.yaml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci_build_test.yaml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/splunk/splunk-connect-for-kubernetes/ci_build_test.yaml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci_build_test.yaml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/splunk/splunk-connect-for-kubernetes/ci_build_test.yaml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci_build_test.yaml:143: update your workflow using https://app.stepsecurity.io/secureworkflow/splunk/splunk-connect-for-kubernetes/ci_build_test.yaml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stale.yaml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/splunk/splunk-connect-for-kubernetes/stale.yaml/develop?enable=pin","Warn: pipCommand not pinned by hash: .github/workflows/ci_build_test.yaml:153","Warn: pipCommand not pinned by hash: .github/workflows/ci_build_test.yaml:154","Info:   0 out of   5 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   2 third-party GitHubAction dependencies pinned","Info:   0 out of   2 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact 1.5.4 not signed: https://api.github.com/repos/splunk/splunk-connect-for-kubernetes/releases/118977338","Warn: release artifact 1.5.3 not signed: https://api.github.com/repos/splunk/splunk-connect-for-kubernetes/releases/97994978","Warn: release artifact v1.5.2 not signed: https://api.github.com/repos/splunk/splunk-connect-for-kubernetes/releases/88296824","Warn: release artifact 1.5.1 not signed: https://api.github.com/repos/splunk/splunk-connect-for-kubernetes/releases/84162220","Warn: release artifact 1.5.0 not signed: https://api.github.com/repos/splunk/splunk-connect-for-kubernetes/releases/74588280","Warn: release artifact 1.5.4 does not have provenance: https://api.github.com/repos/splunk/splunk-connect-for-kubernetes/releases/118977338","Warn: release artifact 1.5.3 does not have provenance: https://api.github.com/repos/splunk/splunk-connect-for-kubernetes/releases/97994978","Warn: release artifact v1.5.2 does not have provenance: https://api.github.com/repos/splunk/splunk-connect-for-kubernetes/releases/88296824","Warn: release artifact 1.5.1 does not have provenance: https://api.github.com/repos/splunk/splunk-connect-for-kubernetes/releases/84162220","Warn: release artifact 1.5.0 does not have provenance: https://api.github.com/repos/splunk/splunk-connect-for-kubernetes/releases/74588280"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":5,"reason":"5 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: PYSEC-2014-14 / GHSA-652x-xj99-gmcc","Warn: Project is vulnerable to: GHSA-9hjg-9r4m-mvj7","Warn: Project is vulnerable to: GHSA-9wx4-h78v-vm56","Warn: Project is vulnerable to: PYSEC-2014-13 / GHSA-cfj3-7x9c-4p3h","Warn: Project is vulnerable to: PYSEC-2018-28 / GHSA-x84v-xcm2-53pg"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-23T20:39:41.433Z","repository_id":38554286,"created_at":"2025-08-23T20:39:41.434Z","updated_at":"2025-08-23T20:39:41.434Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279006749,"owners_count":26084185,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-11T02:00:06.511Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["chart","helm","helm-chart","kubernetes","splunk"],"created_at":"2025-10-11T09:57:51.621Z","updated_at":"2025-10-11T09:57:57.363Z","avatar_url":"https://github.com/splunk.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# End of Support\n\n**Important:** The Splunk Connect for Kubernetes will reach End of Support on *January 1, 2024*. After that date, this repository will no longer receive updates from Splunk and will no longer be supported by Splunk. Until then, only critical security fixes and bug fixes will be provided. Splunk recommends migrating to [Splunk OpenTelemetry Collector for Kubernetes](https://github.com/signalfx/splunk-otel-collector-chart). Please refer to this [migration guide](https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md) for more details.\n\n# What does Splunk Connect for Kubernetes do?\n\nSplunk Connect for Kubernetes provides a way to import and search your Kubernetes logging, object, and metrics data in your Splunk platform deployment.  Splunk Connect for Kubernetes supports importing and searching your container logs on the following technologies:\n\n\n* [Amazon Web Services (AWS) Elastic Container Service (ECS) and AWS Fargate, using Firelens.](https://github.com/splunk/splunk-connect-for-kubernetes/tree/develop/firelens) \n* Amazon Elastic Kubernetes Service (Amazon EKS)\n* Azure Kubernetes Service (AKS)\n* Google Kubernetes Engine (GKE)\n* Openshift\n\n\nSplunk Inc. is a proud contributor to the Cloud Native Computing Foundation (CNCF). Splunk Connect for Kubernetes utilizes and supports multiple CNCF components in the development of these tools to get data into Splunk.\n\n\n## Prerequisites\n\n* Splunk Enterprise 8.0 or later\n* An HEC token. See the following topics for more information:\n  * https://docs.splunk.com/Documentation/Splunk/8.2.9/Data/UsetheHTTPEventCollector\n  * https://docs.splunk.com/Documentation/Splunk/8.2.9/Data/ScaleHTTPEventCollector\n* You should be familiar with your Kubernetes configuration and know where your log information is collected in your Kubernetes deployment.\n* Administrator access to your Kubernetes cluster.\n* To install using Helm (best practice), verify you are running Helm in your Kubernetes configuration. See https://github.com/kubernetes/helm for more information.\n* A minimum of two Splunk platform indexes ready to collect the log data. One for both logs and Kubernetes objects, and one for metrics. You can also create separate indexes for logs and objects, but you will need three Splunk platform indexes.\n\n## Before you begin\nSplunk Connect for Kubernetes supports installation using Helm. Read the Prerequisites and Installation and Deployment documentation before you start your deployment of Splunk Connect for Kubernetes.\n\nPerform the following steps before you install:\n\n1. Create a minimum of two Splunk platform indexes:\n* One events index, which will handle logs and objects (you may also create two separate indexes for logs and objects).\n* One metrics index.\nIf you do not configure these indexes, Kubernetes Connect for Splunk uses the defaults created in your HTTP Event Collector (HEC) token.\n\n2. Create a HEC token if you do not already have one. If you are installing the connector on Splunk Cloud, file a ticket with Splunk Customer Service and they will deploy the indexes for your environment, and generate your HEC token.\n\n## Deploy with Helm\n\nHelm, maintained by the CNCF, allows the Kubernetes administrator to install, upgrade, and manage the applications running in their Kubernetes clusters.  For more information on how to use and configure Helm Charts,  see the Helm [site](https://helm.sh/) and [repository](https://github.com/kubernetes/helm) for tutorials and product documentation. Helm is the only method that the Splunk software supports for installing Splunk Connect for Kubernetes.\n\nTo install and configure defaults with Helm:\n\n* Add Splunk chart repo \n```bash\nhelm repo add splunk https://splunk.github.io/splunk-connect-for-kubernetes/\n```\n\n* Get values file in your working directory \n\nHelm 2\n```bash\nhelm inspect values splunk/splunk-connect-for-kubernetes \u003e values.yaml\n```\nHelm 3\n```bash\nhelm show values splunk/splunk-connect-for-kubernetes \u003e values.yaml\n```\n\n* Prepare this Values file. Once you have a Values file, you can simply install the chart with by running\n\nHelm 2\n```bash\nhelm install --name my-splunk-connect -f values.yaml splunk/splunk-connect-for-kubernetes\n```\nHelm 3\n```bash\nhelm install my-splunk-connect -f values.yaml splunk/splunk-connect-for-kubernetes\n\n```\n\nTo learn more about using and modifying charts, see:\n* https://github.com/splunk/splunk-connect-for-kubernetes/tree/main/helm-chart\n* https://docs.helm.sh/using_helm/#using-helm.\n\n## Configuration variables for Helm\n\nTo learn more about using and modifying charts, see:\n* [The values file for logging](https://github.com/splunk/splunk-connect-for-kubernetes/blob/main/helm-chart/splunk-connect-for-kubernetes/charts/splunk-kubernetes-logging/values.yaml)\n* [The values file for metrics](https://github.com/splunk/splunk-connect-for-kubernetes/blob/main/helm-chart/splunk-connect-for-kubernetes/charts/splunk-kubernetes-metrics/values.yaml)\n* [The values file for objects](https://github.com/splunk/splunk-connect-for-kubernetes/blob/main/helm-chart/splunk-connect-for-kubernetes/charts/splunk-kubernetes-objects/values.yaml)\n\n## Deploy using YAML (unsupported)\n\n\u003e Only deploying by Helm is supported by Splunk.\n\nYou can grab the manifest YAML files and use them to create the Kubernetes objects needed to deploy Splunk Connect for Kubernetes. Please note that installation and debugging for Splunk Connect for Kubernetes through YAML is community-supported only.\n\nWhen you use YAML to deploy Splunk Connect for Kubernetes, the installation does not create the default configuration that is created when you install using Helm. To deploy the connector using YAML, you must know how to configure your Kubernetes variables to work with the connector. If you are not familiar with this process, we recommend that you use the Helm installation method.\n\nTo configure the Splunk Connector for Kubernetes using YAML files:\n\n1. Grab the Charts and Manifest files from https://github.com/splunk/splunk-connect-for-kubernetes\n\n2. Read through all YAML files in the Manifests folder and make any necessary changes. Note that the YAML files in the Manifests folder are examples and are not expected to be used as provided.\n\n3. Verify that your Kubernetes logs are recognized by the Splunk Connect for Kubernetes.\n\n# Architecture\n\nSplunk Connect for Kubernetes deploys a DaemonSet on each node. And in the DaemonSet, a Fluentd container runs and does the collecting job. Splunk Connector for Kubernetes collects three types of data:\n\n* Logs: Splunk Connect for Kubernetes collects two types of logs:\n  * Logs from Kubernetes system components (https://kubernetes.io/docs/concepts/overview/components/)\n  * Applications (container) logs\n* [Objects](https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/)\n* Metrics\n\nTo collect the data, Splunk leverages:\n\n* [Fluentd](https://www.fluentd.org/)\n* [JQ plugin](https://rubygems.org/gems/fluent-plugin-jq) for transforming data\n* [Splunk HEC output plug-in](https://github.com/splunk/fluent-plugin-splunk-hec): The [HTTP Event Collector](http://dev.splunk.com/view/event-collector/SP-CAAAE6M) collects all data sent to Splunk for indexing.\n* For Splunk Connect for Kubernetes, Splunk uses the [node logging agent](https://kubernetes.io/docs/concepts/cluster-administration/logging/#using-a-node-logging-agent) method. See the [Kubernetes Logging Architecture](https://kubernetes.io/docs/concepts/cluster-administration/logging/) for an overview of the types of Kubernetes logs from which you may wish to collect data as well as information on how to set up those logs.\n\n## Logs\n\nSplunk Connect for Kubernetes uses the Kubernetes [node logging agent](https://kubernetes.io/docs/concepts/cluster-administration/logging/#using-a-node-logging-agent) to collect logs. Splunk deploys a DaemonSet on each of these nodes. Each DaemonSet holds a Fluentd container to collect the data. The following plugins are enabled in that Fluentd container:\n\n* [in_systemd](https://rubygems.org/gems/fluent-plugin-systemd) reads logs from systemd journal if systemd is available on the host.\n* [in_tail](https://docs.fluentd.org/v1.0/articles/in_tail) reads logs from file system.\n* [filter_jq_transformer](https://rubygems.org/gems/fluent-plugin-jq) transforms the raw events to a Splunk-friendly format and generates source and sourcetypes.\n* [out_splunk_hec](https://github.com/splunk/fluent-plugin-splunk-hec) sends the translated logs to your Splunk platform indexes through the HTTP Event Collector input (HEC).\n\n## Kubernetes Objects\n\nSplunk Connect for Kubernetes collects Kubernetes objects that can help users access cluster status. Splunk deploys code in the Kubernetes cluster that collects the object data. That deployment contains one pod that runs Fluentd which contains the following plugins to help push data to Splunk:\n\n* [in_kubernetes_objects](https://github.com/splunk/fluent-plugin-kubernetes-objects) collects object data by calling the Kubernetes API (by https://github.com/abonas/kubeclient). in-kubernetes-objects supports two modes:\n  * watch mode: the Kubernetes API sends new changes to the plugin. In this mode, only the changed data is collected.\n  * pull mode: the plugin queries the Kubernetes API periodically. In this mode, all data is collected.\n* [filter_jq_transformer](https://rubygems.org/gems/fluent-plugin-jq) transforms the raw data into a Splunk-friendly format and generates sources and sourcetypes.\n* [out_splunk_hec](https://github.com/splunk/fluent-plugin-splunk-hec) sends the data to Splunk via HTTP Event Collector input (HEC).\n\n## Metrics\n\nSplunk Connect for Kubernetes deploys daemonsets on the Kubernetes cluster. These daemonsets have exactly one pod, which runs one container:\n\n* [Fluentd metrics plugin](https://github.com/splunk/fluent-plugin-kubernetes-metrics) collects the metrics, formats the metrics for Splunk ingestion by assuring the metrics have proper metric_name, dimensions, etc., and then sends the metrics to Splunk using out_splunk_hec using Fluentd engine.\n\nMake sure your Splunk configuration has a metrics index that is able to receive the data. See [Get started with metrics](http://docs.splunk.com/Documentation/Splunk/7.2.4/Metrics/GetStarted) in the Splunk Enterprise documentation.\n\nIf you want to learn more about how metrics are monitored in a Kubernetes cluster, see Tools for [Monitoring Compute, Storage, and Network Resources](https://kubernetes.io/docs/tasks/debug-application-cluster/resource-usage-monitoring/).\n\nIf you want to learn more about which metrics are collected and metric names used with Splunk Connect for Kubernetes, view the metrics [schema](https://github.com/splunk/fluent-plugin-kubernetes-metrics).\n\n# Performance\n\nSome parameters used with Splunk Connect for Kubernetes can have an impact on overall performance of log ingestion, objects, or metrics. In general, the more filters that are added to one of the streams, the greater the performance impact.\n\nSplunk Connect for Kubernetes can exceed the default throughput of HEC. To best address capacity needs, Splunk recommends that you monitor the HEC throughput and back pressure on Splunk Connect for Kubernetes deployments and be prepared to add additional nodes as needed.\n\n# Processing multiline Logs\n\nOne possible filter option is to enable the processing of multiline events. This feature is currently experimental and considered to be community supported.\n\n# Configuring multiline fluentd filters to line break multiline logs\n\nConfigure apache tomcat multiline logs using the following steps:\n\n\n1. Develop a multiline filter with the proper regex and test the regex using a site such as https://rubular.com/\n\n```bash\n\u003cfilter tail.containers.var.log.containers.toolbox*toolbox*.log\u003e\n        @type concat\n        key log\n        timeout_label @SPLUNK\n        stream_identity_key stream\n        multiline_start_regexp /^\\d{4}-\\d{2}-\\d{2}\\s\\d{2}:\\d{2}:\\d{2}|^\\d{4}-\\d{2}-\\d{2}\\s\\d{2}:\\d{2}:\\d{2}|^\\d{1,3}.\\d{1,3}.\\d{1,3}.\\d{1,3}\\s-\\s-/\n        multiline_end_regexp /\\\\n$/\n        separator \"\"\n        flush_interval 5s\n\u003c/filter\u003e\n```\n\n2. Add the multiline filter to your deployment's [logging configmap](https://github.com/splunk/splunk-connect-for-kubernetes/blob/develop/manifests/splunk-kubernetes-logging/configMap.yaml), using the [customFilters](https://github.com/splunk/splunk-connect-for-kubernetes/blob/develop/helm-chart/splunk-connect-for-kubernetes/values.yaml#L440) parameter.\n\n3. Update `separator` config if required. `\"\"` is the default separator.\n\n4. Save your changes.\n\n# Managing SCK Log Ingestion by Using Annotations\n\nManage Splunk Connect for Kubernetes Logging with these supported annotations.\n\n* Use `splunk.com/index` annotation on pod and/or namespace to tell which Splunk platform indexes to ingest to. Pod annotation will take precedence over namespace annotation when both are annotated.\n  ex) `kubectl annotate namespace kube-system splunk.com/index=k8s_events`\n* Set `splunk.com/exclude` annotation to `true` on pod and/or namespace to exclude its logs from ingested to your Splunk platform deployment.\n* Use `splunk.com/sourcetype` annotation on pod to overwrite `sourcetype` field. If not set, it is dynamically generated to be `container:CONTAINER_NAME`. Note that the sourcetype will be prefixed with `.Values.sourcetypePrefix` (default: `kube:`).\n\nRegarding excluding container logs: If possible, it is more efficient to exclude it using `fluentd.exclude_path` option.\n\n# Searching for SCK metadata in Splunk\nSplunk Connect for Kubernetes sends events to Splunk which can contain extra meta-data attached to each event. Metadata values such as \"pod\", \"namespace\", \"container_name\",\"container_id\", \"cluster_name\" will appear as fields when viewing the event data inside Splunk.\nThere are two solutions for running searches in Splunk on meta-data.\n\n* Modify search to use`fieldname::value` instead of `fieldname=value`.\n* Configure `fields.conf` on your downstream Splunk system to have your meta-data fields available to be searched using `fieldname=value`. Example: [fields.conf.example](https://github.com/splunk/splunk-connect-for-kubernetes/blob/develop/fields.conf.example)\n\nFor more information on index time field extraction please view this [guide](https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction#Where_to_put_the_configuration_changes_in_a_distributed_environment).\n\n# Sending logs to ingest API\nSplunk Connect for Kubernetes can be used to send events to [Splunk Ingest API](https://sdc.splunkbeta.com/reference/api/ingest/v1beta2). In the ingest_api section of the yaml file you are using to deploy, the following configuration options have to be configured:\u003c/br\u003e\n* serviceClientIdentifier - Splunk Connect for Kubernetes uses the client identifier to make authorized requests to the ingest API.\n* serviceClientSecretKey - Splunk Connect for Kubernetes uses the client secret key to make authorized requests to the ingest API.\n* tokenEndpoint - This value indicates which endpoint Splunk Connect for Kubernetes should look to for the authorization token necessary for making requests to the ingest API.\n* ingestAPIHost - Indicates which url/hostname to use for requests to the ingest API.\n* tenant - Indicates which tenant Splunk Connect for Kubernetes should use for requests to the ingest API.\n* eventsEndpoint - Indicates which endpoint to use for requests to the ingest API.\n* debugIngestAPI - Set to True if you want to debug requests and responses to ingest API.\n\n# Maintenance And Support\nSplunk Connect For Kubernetes is supported through Splunk Support assuming the customer has a current Splunk support entitlement ([Splunk Support](https://www.splunk.com/en_us/about-splunk/contact-us.html#tabs/tab_parsys_tabs_CustomerSupport_4)). For customers that do not have a current Splunk support entitlement, please search [open and closed issues](https://github.com/splunk/splunk-connect-for-kubernetes/issues?q=is%3Aissue) and create a new issue if not already there.\nThe current maintainers of this project are the DataEdge team at Splunk.\n\n# License\n\nSee [LICENSE](https://github.com/splunk/splunk-connect-for-kubernetes/blob/main/LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsplunk%2Fsplunk-connect-for-kubernetes","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsplunk%2Fsplunk-connect-for-kubernetes","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsplunk%2Fsplunk-connect-for-kubernetes/lists"}