Reporter
The Reporter pinpoints app/infra events driving the most storage and licensing cost, before the forwarder ships them to the log analyzer.
Workflow
The Reporter app processes events from a variety of log forwarders, such as Fluentd, Fluent Bit, Filebeat, and Logstash. Configure the app to process all or a subset of collected events, allowing for targeted cost analysis.
graph LR
A["<div style='font-size: 14px;'>🚙 DaemonSet</div><div style='font-size: 10px; text-align: center;'>Alongside Forwarder</div>"] --> B["<div style='font-size: 14px;'>📡 Tail</div><div style='font-size: 10px; text-align: center;'>Pre-SIEM Stream</div>"]
B --> C["<div style='font-size: 14px;'>🔄 Transform</div><div style='font-size: 10px; text-align: center;'>into TenXObjects</div>"]
C --> D["<div style='font-size: 14px;'>🎁 Enrich</div><div style='font-size: 10px; text-align: center;'>Add Context</div>"]
D --> E["<div style='font-size: 14px;'>📊 Aggregate</div><div style='font-size: 10px; text-align: center;'>Group by Cost</div>"]
E --> F["<div style='font-size: 14px;'>📈 Report</div><div style='font-size: 10px; text-align: center;'>Publish Metrics</div>"]
classDef deploy fill:#7c3aed88,stroke:#6d28d9,color:#ffffff,stroke-width:2px,rx:8,ry:8
classDef receive fill:#9333ea88,stroke:#7c3aed,color:#ffffff,stroke-width:2px,rx:8,ry:8
classDef transform fill:#2563eb88,stroke:#1d4ed8,color:#ffffff,stroke-width:2px,rx:8,ry:8
classDef enrich fill:#059669,stroke:#047857,color:#ffffff,stroke-width:2px,rx:8,ry:8
classDef aggregate fill:#ea580c88,stroke:#c2410c,color:#ffffff,stroke-width:2px,rx:8,ry:8
classDef report fill:#16a34a88,stroke:#15803d,color:#ffffff,stroke-width:2px,rx:8,ry:8
class A deploy
class B receive
class C transform
class D enrich
class E aggregate
class F report🚙 DaemonSet: Runs 10x as a separate DaemonSet pod alongside your forwarder, not a sidecar inside it, not in the critical log path
📡 Tail: Reads the same pre-SIEM event stream the forwarder sees, from container logs, files, or a duplicated IPC channel
🔄 Transform: Structures log events into well-defined TenXObjects
🎁 Enrich: Applies enrichment rules to augment TenXObjects with intelligent context
📊 Aggregate: Groups TenXObjects to show data volume per event type, severity, and more
📈 Report: Publishes cost insight metrics for visualization and alerting
Architecture
The Reporter executes as a DaemonSet alongside your log forwarder to report on log/trace events before they ship to output destinations (e.g., Splunk, Datadog). Not in the critical log path.
The 10x Engine runs as a DaemonSet alongside your forwarder to identify the app/infra events incurring the highest costs and report as metrics to the 10x Console.
Reporters publish event cost metrics to the 10x console.The 10x Engine runs as a DaemonSet alongside your forwarder to identify the app/infra events incurring the highest costs and report as metrics to a Metric output for visualization, alerting and anomaly detection.
Reporters publish event cost metrics to time-series DBs.Safety & Reliability
The Reporter runs as a DaemonSet alongside your log forwarder, not in the critical log path. If the Reporter crashes or stops, your logs continue flowing normally to your analyzer (insights go stale; the DaemonSet controller respawns the pod).
| Topic | Detail |
|---|---|
| Fail-independent design | Logs continue flowing if the Reporter goes down |
| Not in the log path | Adds zero latency to the forwarder pipeline; doesn't mutate forwarder configs |
| Resource requirements | 512MB heap + 2 threads handles 100+ GB/day |
| Rollback | helm uninstall takes ~1 minute, forwarders untouched |
See the Reporter FAQ for complete operational details, capacity planning, and deployment guidance.