Skip to content

Apps

Start with the MCP Server, install it into Claude Desktop / Code / Cursor and it'll guide you through installing each of the apps below based on k8s discovery of your environment. You can also install and run these apps manually; MCP just makes it faster and safer by knowing your stack.

graph LR
    Forwarders["Log Forwarders"] -->|IPC| Edge["10x Receiver"]
    Edge --> Analyzers["Analyzers & Storage"]
    Forwarders -.->|IPC| Reporter["10x Reporter (DaemonSet)"]
    Analyzers --> Cloud["10x Retriever"]
    Reporter -.->|Metrics| Console["TSDB & Dashboards"]
    Edge -.->|Metrics| Console
    Cloud -.->|Metrics| Console

    classDef forwarders fill:#9333ea88,stroke:#7c3aed,color:#ffffff,stroke-width:2px,rx:8,ry:8
    classDef edge fill:#2563eb88,stroke:#1d4ed8,color:#ffffff,stroke-width:2px,rx:8,ry:8
    classDef analyzers fill:#ea580c88,stroke:#c2410c,color:#ffffff,stroke-width:2px,rx:8,ry:8
    classDef cloud fill:#059669,stroke:#047857,color:#ffffff,stroke-width:2px,rx:8,ry:8
    classDef console fill:#16a34a88,stroke:#15803d,color:#ffffff,stroke-width:2px,rx:8,ry:8

    class Forwarders forwarders
    class Edge edge
    class Reporter edge
    class Analyzers analyzers
    class Cloud cloud
    class Console console

Suggested adoption path (guided by the MCP Server):

Dev, preview savings on your own log files (MCP can fetch and run it for you)

Reporter, pinpoint the event types driving 80% of cost (MCP generates the Helm values)

Receiver, filter noisy events and compact the rest losslessly where supported (Splunk, self-hosted Elasticsearch/OpenSearch, ClickHouse) (MCP proposes filter configs)

Retriever, offload events to your own S3 bucket, fetch the exact events back on demand (no SIEM re-ingest) (MCP recommends the setup)

Dev

Preview savings on your actual log files before deploying. Installs locally or via Docker, or ask MCP to fetch and invoke it for you.

Reporter

See which event types drive 80% of your analytics platform cost, observed pre-SIEM from the forwarder stream. Deploys as a DaemonSet alongside your forwarder, not as a sidecar inside it. Not in the critical log path.

MCP can generate tailored Helm values, ask "set me up with the Reporter" after installing the MCP Server.

Receiver

Execution arm. Two modes, one app:

  • Filter (lossy): drop events matching a rule, up to 80% volume reduction. Safe defaults are deny; explicit allow required.
  • Compact (lossless): replace events with a compact wire-form that the downstream SIEM plugin expands at query time. Typically 50–80% reduction (about 64% measured on K8s OTel logs), no dashboard/query changes. Requires the expand plugin in Splunk or self-hosted Elasticsearch/OpenSearch (compact is a no-op on managed/SaaS analytics platforms).

MCP can propose filter configs per pattern based on the Reporter's cost attribution.

Retriever

Offload selected events to your own S3 bucket instead of paying analytics platform ingestion rates, then fetch the exact offloaded events on demand (no SIEM re-ingest). This can cut analytics cost on these events substantially, typically modeled at 70-80% for high-volume patterns.

MCP can recommend the Terraform + Helm pair for your environment.

  • Install the orchestrator: MCP Server, starts the adoption journey, then guides you through each app above
  • Generating custom symbols? See Compile, the AOT symbol generation pipeline. Optional.


This app is defined in apps/app.yaml.

Next: Reporter