Splunk Connect for Kubernetes alternative — Collectord
Splunk Connect for Kubernetes reached End of Support
In 2023 Splunk announced End of Support for Splunk Connect for Kubernetes (SCK) effective January 1, 2024. The last release shipped in August 2023 (1.5.4); since then no new features and only sporadic fixes. Splunk’s recommended replacement is the Splunk Distribution of OpenTelemetry Collector. Thousands of clusters still run SCK, and most teams now face the same question: migrate to OTel, or pick something else?
Collectord is the something else. It’s a commercial, container-native log and metrics agent for Kubernetes, OpenShift, and Docker, with a complete Splunk app — 50+ pre-built dashboards and 39+ pre-built alerts — included. Same data flow you had with SCK, dramatically less work to get production-ready visibility back.
Side-by-side comparison
| Capability | Splunk Connect for K8s | OpenTelemetry Collector | Collectord |
|---|---|---|---|
| Status | End of Support 2024-01-01 | Active | Active, commercial support |
| Pre-built Splunk dashboards | — | — | 50+ included |
| Pre-built Splunk alerts | — | — | 39+ included |
| Container logs to Splunk | Yes | Yes | Yes |
| Application logs from mounted volumes (no sidecar) | Limited | Limited | Native, auto-discover |
| Container, host, and process metrics | Partial | Yes (configure) | Yes, by default |
| Kubernetes events | Yes | Yes (configure) | Yes, with dedicated dashboards |
| Kubernetes audit logs | Yes | Yes (configure) | Yes, dedicated app |
| Prometheus auto-discovery via annotations | — | Configurable | Yes, per-pod annotations |
| Scrape Prometheus endpoints to Splunk metrics index | — | Yes | Yes |
| Self-service routing via K8s annotations | Partial | — | Full — index, source, type, output, masking, sampling |
| Cluster-wide policy via CRD | — | — | Configuration CRD, force overrides |
| Multi-tenant SplunkOutput per namespace | — | — | SplunkOutput CRD, Secret-backed tokens |
| Multiple Splunk endpoints simultaneously | — | Configurable | Yes, per-pod fan-out |
| PII masking / hashing before forwarding | — | Configurable | Built in, annotation-driven |
| Sampling (random + hash-based) | — | Random | Random + key-based |
| FIPS 140 validated images | — | — | amd64 + arm64 |
| Red Hat certified image | — | — | Yes (OpenShift) |
| OpenShift router, builds, image streams coverage | Basic | Basic | Full |
| Distributed tracing | — | Yes | — |
| Setup time to production-ready dashboards | Hours-days | Days-weeks (build dashboards) | ~10 minutes |
| Vendor support | Community only | Community + paid Splunk | Outcold Solutions, since 2017 |
Need tracing too? Collectord focuses on logs, metrics, events, and Splunk app coverage — it doesn’t collect distributed traces. That’s not a problem: run the OpenTelemetry Collector alongside Collectord and route traces to Splunk Observability Cloud (or any OTLP backend). The two stacks coexist cleanly — most teams that care about tracing already do this.
What you actually get with Collectord
A complete Splunk app — not a data pipeline
This is the difference that matters most. SCK and OTel deliver data into Splunk indexes and stop there. You’re left to build dashboards, write alerts, and answer “is etcd healthy?” or “which pod is OOM-killing” by writing SPL from scratch.
Collectord ships Monitoring Kubernetes and Monitoring OpenShift as full Splunk apps:
- Workload investigation: CrashLoopBackOff, OOMKilled, image-pull failures, probe failures — pre-built dashboards and saved searches
- Control plane: Kubernetes API server, etcd (8 dedicated alerts), kubelet, controller manager, scheduler, CoreDNS
- Capacity: allocatable resources, top pods/containers/hosts/processes, namespace resource usage
- Events: redesigned in 26.04 — Events Timeline, Events Overview, Workload Failures, Scheduling and Node Health, Recurring Problems
- Audit and security: Kubernetes audit log dashboards, privileged container detection, network connection analysis
- Storage: PVC space tracking, mount stats, disk I/O
- Prometheus: bring your own application metrics, use Splunk metrics index
- GPU: NVIDIA dashboard for ML workloads
Self-service routing via Kubernetes annotations
Need a namespace’s logs in a separate index? An app team to mask PII without filing a ticket? A noisy debug container silenced? Add an annotation. The platform team configures Collectord once; everything else is self-service. The annotation system has a precedence model with force: true overrides for compliance-critical rules.
→ How layered annotations work
FIPS 140-validated images
For federal, finance, healthcare, and other regulated environments, Collectord ships FIPS-validated container images on both amd64 and arm64. Two modes — FIPS-enabled and FIPS-enforced (GODEBUG=fips140=only). In the Splunk ecosystem, this is the gap: SCK never had FIPS images, and the Splunk Distribution of OpenTelemetry Collector currently doesn’t either (upstream FIPS audit is still open).
→ FIPS for Kubernetes · FIPS for OpenShift
Multi-tenant ready
Run a shared cluster for many teams? Each team can declare its own Splunk destination via SplunkOutput CRD without ConfigMap edits. Tokens can live in Kubernetes Secrets. Per-pod fan-out lets one log line land in a SIEM index and an apps index simultaneously.
Migrating from Splunk Connect for Kubernetes
The migration path is straightforward, and you don’t have to do it all at once — Collectord can run alongside SCK during a cutover.
- Install Collectord on a single test namespace. A 5-minute install gives you a working pipeline. Use namespace annotations to scope which pods Collectord forwards initially.
- Reproduce your sourcetype and index routing. SCK’s index routing was based on Helm values; Collectord’s is based on annotations or a
ConfigurationCRD. Most clusters can replicate it in under an hour. - Verify dashboards. The Monitoring Kubernetes app installs into Splunk in minutes. The dashboards you previously built against SCK sourcetypes can usually be retargeted with a sourcetype rename.
- Migrate namespace by namespace. Add the namespace annotation, watch the data flow, decommission SCK from that namespace.
- Tear down SCK. Once every namespace is on Collectord, the SCK Helm release comes down.
If you want a hand walking through it, request a demo and we’ll do a live migration walkthrough on your cluster.
Why teams switch
Common reasons we hear:
- Deprecation forced a decision — and OTel meant rebuilding dashboards
- Pre-built dashboards — months of dashboard engineering avoided
- Annotation-based self-service — platform teams want to stop being a routing bottleneck
- FIPS — federal/finance customers can’t ship without it
- OpenShift coverage — Router, BuildConfig, ImageStream observability that vanilla K8s tooling doesn’t address
- Simpler operations — one binary, one DaemonSet, no Helm chart with 200 values
Pricing and trial
Collectord is commercial software with a 30-day free trial — no credit card required.
- 30-day trial — full features, all products, no install limit
- Per-cluster annual licensing — predictable, simple
- Air-gapped licensing — available on request for FIPS / classified environments
→ Start your trial · Pricing · Contact sales
Frequently asked questions
Is Collectord a fork of SCK? No. Collectord is independently developed by Outcold Solutions, has been in production since 2017, and predates SCK’s deprecation by years.
Can I run Collectord alongside SCK during migration? Yes — they’re independent agents, and you can move namespaces over one at a time using namespace annotations.
Does Collectord forward to OpenSearch / Elasticsearch / syslog? Yes — alternate output destinations are supported. See forwarding to Elasticsearch and forwarding via syslog.
Is the Splunk app free? The app is published on SplunkBase and free to download — but it’s a UI layer over data Collectord forwards. Without a Collectord license, the dashboards have nothing to render. The 30-day free trial covers the full stack; a paid Collectord license is required to keep using it after that.
Do you support OpenTelemetry traces? Not today. If tracing is essential, OpenTelemetry Collector + Splunk Observability Cloud is the right stack.
Stop building. Start operating.
30-day free trial. No credit card. No install limit. Working dashboards within ten minutes of `kubectl apply`.
