The short version: a Splunk Enterprise search head, a network route from it to each cluster, and a credential per cluster. The details below are the full compatibility picture.
Splunk
| Splunk Enterprise | 9.4, 10.0, 10.2, and 10.4 (tested) |
| Splunk Cloud | Supported |
| Install location | Search head only |
| Search head clustering | Supported, with a paid license |
There is no indexer or forwarder component, and the app writes nothing to an index - it installs on search heads alone.
Search head platform
The bundled binary ships for these search-head operating systems and architectures:
- Linux: amd64, arm64
- Windows: amd64
- macOS: amd64, arm64
Kubernetes
| Kubernetes API | 1.20 or later |
| API discovery | Aggregated discovery on 1.26 and later, with a fallback for older clusters |
Any conformant distribution works - the app talks to the standard Kubernetes API, so managed services (EKS, GKE, AKS) and self-hosted clusters are all supported.
Network
Outbound HTTPS from the search head to each cluster’s API server. The search head is what connects to your clusters, so routes and firewall rules apply there, not on indexers or forwarders.
Credentials
One credential per cluster - a bearer token or a client certificate - kept in Splunk’s encrypted credential store. See Clusters for how to obtain one with least privilege.
Licensing
The free tier needs no key: one cluster on a single standalone search head. Multiple clusters, search head clustering, per-user credentials, and impersonation require a paid license. See Licensing.