Outcold Solutions LLC

FAQ and the common questions

I do not see IO metrics on hosts dashboards

We use metrics from the blkio-controller. It is not always enabled. As a the workaround, you can use the sum from proc metrics, which we also collect for processes.

I received a license. How do I apply it?

Collector reads license key from the configuration file.

Collector for Kubernetes and Collector for OpenShift

If you are using collector for OpenShift or Kubernetes, you can set the license in the ConfigMap that we include in our configuration yaml files. Find the line license =, add your license key as a value. License key should not have any spaces. Starting from version 5.0 you do not need to restart the collectors after setting the license. It will pick it up automatically after few moments.

If you are using collector version below 5.0 you need to restart collectors. When you modify just a ConfigMap, it does not trigger the restart of the Pod.

You can just delete all the running pods in our namespace, and scheduler will create new pods.

In case of OpenShift: oc delete --namespace collectorforopenshift pods --all

In case of Kubernetes: kubectl delete --namespace collectorforkubernetes pods --all

If you are using version 3 of our solution for Monitoring OpenShift and Kubernetes we deploy our collector in the default namespace. In that case you will need to manually delete all pods and they will be rescheduled with the DaemonSet.

Collector for Docker

For the collector docker you can modify the collector.yaml configuration file if you already have your own. Or you can set the license key with the environment variable --env "COLLECTOR__LICENSE=general__license=...".

Can we use applications with Splunk versions below 6.5?

Our collector sends data to the HTTP Event Collector and it uses Indexed field extractions, this feature was introduced in Splunk 6.5. One workaround is to install the fleet of Heavy Weight Forwarders with the HTTP Event Collector using the latest version of Splunk and configure them to forward data to your indexers. For details see

How much data your application generates?

In the application version 5.3 and above you can find a Splunk Usage dashboard under Setup.

Because we are using Indexed field extractions in HTTP Event Collector, in our tests, we saw less than 5% of Splunk Licensing cost increase for logs.

You can also run a search in Splunk to get the information on how much licensing usage for every source type.

index=_internal source=*metrics.log  | eval MB=kb/1024 | search group="per_sourcetype_thruput" | timechart span=1h sum(MB) by series

In our tests for Kubernetes nodes with 20-30 containers, we have seen around 200Mb a day of data indexed for kubernetes_stats and kubernetes_proc_stats together.

With our demo environment, that had 2 OpenShift clusters (9 nodes in total, 1+3 masters, 1+4 nodes) with 62 pods, this is a breakdown of licensing usage

Splunk Licensing Usage


Please read our blog post about the performance of our collector: Forwarding 10,000 1k events generated by containers from a single host with ease

About Outcold Solutions

Outcold Solutions provides solutions for monitoring Kubernetes, OpenShift and Docker clusters in Splunk Enterprise and Splunk Cloud. We offer certified Splunk applications, which give you insights across all containers environments. We are helping businesses reduce complexity related to logging and monitoring by providing easy-to-use and deploy solutions for Linux and Windows containers. We deliver applications, which help developers monitor their applications and operators to keep their clusters healthy. With the power of Splunk Enterprise and Splunk Cloud, we offer one solution to help you keep all the metrics and logs in one place, allowing you to quickly address complex questions on container performance.