Outcold Solutions - Monitoring Kubernetes, OpenShift and Docker in Splunk
Kubernetes Search in Splunk Monitoring Docker in Splunk Monitoring Kubernetes in Splunk Monitoring OpenShift in Splunk Monitoring Linux in Splunk Monitoring Windows Containers in Splunk Forwarding Logs to Elasticsearch and OpenSearch Forwarding Logs to QRadar
Documentation Blog Contact Us Pricing Evaluation licenses Partners License Agreement Privacy Policy Refund & Cancellation Acceptable Use Policy FAQ
Kubernetes Search

Release history

Kubernetes Search versions independently of the Collectord agent and the Monitoring apps, using standard semantic versioning.

1.0.0

Initial release.

  • Live search commands. | k8s (list and get resources), | k8slogs (pod logs), | k8sevents (cluster events), | k8sdescribe (an object with its events), and | k8syaml (format results as YAML). See the Command reference.
  • Multi-cluster. Register multiple clusters and target them with context=, including parallel fan-out across a glob or all clusters, with a cluster field on every row.
  • Authentication. Bearer token and client-certificate credentials, kept in Splunk’s encrypted credential store. Import a kubeconfig to register a cluster quickly.
  • Access control. Dedicated roles and capabilities, plus three credential models - shared, per-user, and Kubernetes impersonation - for controlling whose RBAC a search runs under. See Access control.
  • Dashboards. Cluster health, system components, workloads, incident snapshot, reliability troubleshooting, events, logs explorer, resource hygiene, networking and storage, and per-pod and per-node detail views. See Dashboards.
  • Caching. Short-lived on-disk result cache with per-search cache= override and _cache_hit / _cache_age_seconds reporting.
  • Search head clustering support (paid license), with cluster registrations and credentials replicated across members.
  • Free tier: one cluster on a single standalone search head, no license key required.

Requires Splunk Enterprise 9.4, 10.0, 10.2, or 10.4 on a search head, and Kubernetes 1.20 or later. See Requirements for the full compatibility matrix.

Known issues and limitations

  • AWS IAM / EKS authentication is not yet available. Authenticate to EKS with a bearer token; native IAM support is planned for a future release.
  • Pod logs are a point-in-time snapshot. | k8slogs has no live follow - re-run to see newer lines.
  • Events are bounded by Kubernetes retention, about an hour by default.
  • Impersonation is unavailable to scheduled and saved searches, which run as nobody with no user identity to impersonate.