Skip to content

Reporter

The Reporter app is the read-only insights arm of the 10x pipeline. It pinpoints high-cost app/infra events before forwarders ship them to log analyzers, enabling storage and licensing cost optimization.

Deployment: a DaemonSet alongside your forwarder — not a sidecar injected into it, and not a cloud app polling your SIEM's REST API. The reporter tails the same event stream your forwarder sees (pre-SIEM), publishes cost insight metrics, and fails independently: if the reporter goes down, your logs continue flowing to the SIEM uninterrupted.

Not in the critical log path. No mutation of existing fluent-bit / fluentd / otel-collector configs. Similar deployment pattern to datadog-agent or splunk-otel-collector.

MCP can set this up for you

Ask the MCP Server to deploy the Reporter for your cluster — MCP does k8s discovery, identifies your forwarder, and generates a tailored my-reporter.yaml Helm values file. You review and helm install.

Architecture — the Reporter DaemonSet tails the forwarder's event stream pre-SIEM

10x DaemonSet — pre-SIEM cost visibility per app, independent of the forwarder

Top patterns by potential savings — the 10 most expensive event types ranked by volume and cost

Pinpoint Costly Events

Deliver granular cost insight for app/infra event types incurring the highest storage and licensing costs. Provide dev teams with data for targeting highest-impact optimization efforts.

Processing production logs reveals precise cost distribution patterns by event type, enabling targeted optimization strategies. See detailed cost analysis examples from the dev app for comprehensive breakdowns and savings calculations.

AI Recommendations

The reasoning AI model provides context on the origin of the costliest event types and delivers actionable recommendations for lowering costs. Use the model built into the managed 10x Console dashboards or bring your own (OpenAI, Anthropic, Grok).

Regulate Costs

Feed cost metrics into the Regulator app (Filter or Compact mode) to actively control 'noisy' telemetry and prevent over-billing.

Logs to Metrics

Integrate granular cost metrics into your FinOps dashboards and alerting using Metric outputs.

Deliver actionable event-level cost insight metrics to CloudWatch and Datadog to detect operational anomalies and enhance FinOps dashboards and alerting.

Query the 10x REST API to build custom cost analyses, dashboards, and automation on top of the per-pattern cost time series.

Workflow

The Reporter app processes events from a variety of log forwarders, such as Fluentd, Fluent Bit, Filebeat, and Logstash. Configure the app to process all or a subset of collected events, allowing for targeted cost analysis.

graph LR
    A["<div style='font-size: 14px;'>🚙 DaemonSet</div><div style='font-size: 10px; text-align: center;'>Alongside Forwarder</div>"] --> B["<div style='font-size: 14px;'>📡 Tail</div><div style='font-size: 10px; text-align: center;'>Pre-SIEM Stream</div>"]
    B --> C["<div style='font-size: 14px;'>🔄 Transform</div><div style='font-size: 10px; text-align: center;'>into TenXObjects</div>"]
    C --> D["<div style='font-size: 14px;'>🎁 Enrich</div><div style='font-size: 10px; text-align: center;'>Add Context</div>"]
    D --> E["<div style='font-size: 14px;'>📊 Aggregate</div><div style='font-size: 10px; text-align: center;'>Group by Cost</div>"]
    E --> F["<div style='font-size: 14px;'>📈 Report</div><div style='font-size: 10px; text-align: center;'>Publish Metrics</div>"]

    classDef deploy fill:#7c3aed88,stroke:#6d28d9,color:#ffffff,stroke-width:2px,rx:8,ry:8
    classDef receive fill:#9333ea88,stroke:#7c3aed,color:#ffffff,stroke-width:2px,rx:8,ry:8
    classDef transform fill:#2563eb88,stroke:#1d4ed8,color:#ffffff,stroke-width:2px,rx:8,ry:8
    classDef enrich fill:#059669,stroke:#047857,color:#ffffff,stroke-width:2px,rx:8,ry:8
    classDef aggregate fill:#ea580c88,stroke:#c2410c,color:#ffffff,stroke-width:2px,rx:8,ry:8
    classDef report fill:#16a34a88,stroke:#15803d,color:#ffffff,stroke-width:2px,rx:8,ry:8

    class A deploy
    class B receive
    class C transform
    class D enrich
    class E aggregate
    class F report

🚙 DaemonSet: Runs 10x as a separate DaemonSet pod alongside your forwarder — not a sidecar inside it, not in the critical log path

📡 Tail: Reads the same pre-SIEM event stream the forwarder sees — from container logs, files, or a duplicated IPC channel

🔄 Transform: Structures log events into well-defined TenXObjects

🎁 Enrich: Applies enrichment rules to augment TenXObjects with intelligent context

📊 Aggregate: Groups TenXObjects to show data volume per event type, severity, and more

📈 Report: Publishes cost insight metrics for visualization and alerting

Architecture

The Reporter executes as a DaemonSet alongside your log forwarder to report on log/trace events before they ship to output destinations (e.g., Splunk, Datadog). Not in the critical log path.

Without 10x, a small segment of noisy app/infra event types can drive most log analytics and storage costs, with little to no cost visibility.

Architecture diagram: Log forwarders ship all events to log analyzers with no cost visibility or control
❌ Forwarders ship events to log analyzers with no cost visibility.

The 10x Engine runs as a DaemonSet alongside your forwarder to identify the app/infra events incurring the highest costs and report as metrics to the 10x Console.

Architecture diagram: Reporter DaemonSet analyzes events pre-SIEM and publishes cost metrics to the 10x Console
✅ Reporters publish event cost metrics to the 10x console.

The 10x Engine runs as a DaemonSet alongside your forwarder to identify the app/infra events incurring the highest costs and report as metrics to a Metric output for visualization, alerting and anomaly detection.

Architecture diagram: Reporter DaemonSet analyzes events pre-SIEM and publishes cost metrics to time-series databases like Prometheus or Datadog
✅ Reporters publish event cost metrics to time-series DBs.

Safety & Reliability

The Reporter runs as a DaemonSet alongside your log forwarder — not in the critical log path. If the Reporter crashes or stops, your logs continue flowing normally to your analyzer (insights go stale; the DaemonSet controller respawns the pod).

Topic Detail
Fail-independent design Logs continue flowing if the Reporter goes down
Not in the log path No latency, no mutation of forwarder configs
Resource requirements 512MB heap + 2 threads handles 100+ GB/day
Rollback helm uninstall takes ~1 minute, forwarders untouched

See the Reporter FAQ for complete operational details, capacity planning, and deployment guidance.