Reporter
The Reporter app is the read-only insights arm of the 10x pipeline. It pinpoints high-cost app/infra events before forwarders ship them to log analyzers, enabling storage and licensing cost optimization.
Deployment: a DaemonSet alongside your forwarder — not a sidecar injected into it, and not a cloud app polling your SIEM's REST API. The reporter tails the same event stream your forwarder sees (pre-SIEM), publishes cost insight metrics, and fails independently: if the reporter goes down, your logs continue flowing to the SIEM uninterrupted.
Not in the critical log path. No mutation of existing fluent-bit / fluentd / otel-collector configs. Similar deployment pattern to datadog-agent or splunk-otel-collector.
MCP can set this up for you
Ask the MCP Server to deploy the Reporter for your cluster — MCP does k8s discovery, identifies your forwarder, and generates a tailored my-reporter.yaml Helm values file. You review and helm install.
Pinpoint Costly Events
Deliver granular cost insight for app/infra event types incurring the highest storage and licensing costs. Provide dev teams with data for targeting highest-impact optimization efforts.
Processing production logs reveals precise cost distribution patterns by event type, enabling targeted optimization strategies. See detailed cost analysis examples from the dev app for comprehensive breakdowns and savings calculations.
AI Recommendations
The reasoning AI model provides context on the origin of the costliest event types and delivers actionable recommendations for lowering costs. Use the model built into the managed 10x Console dashboards or bring your own (OpenAI, Anthropic, Grok).
Regulate Costs
Feed cost metrics into the Regulator app (Filter or Compact mode) to actively control 'noisy' telemetry and prevent over-billing.
Logs to Metrics
Integrate granular cost metrics into your FinOps dashboards and alerting using Metric outputs.
Deliver actionable event-level cost insight metrics to CloudWatch and Datadog to detect operational anomalies and enhance FinOps dashboards and alerting.
Query the 10x REST API to build custom cost analyses, dashboards, and automation on top of the per-pattern cost time series.
Workflow
The Reporter app processes events from a variety of log forwarders, such as Fluentd, Fluent Bit, Filebeat, and Logstash. Configure the app to process all or a subset of collected events, allowing for targeted cost analysis.
graph LR
A["<div style='font-size: 14px;'>🚙 DaemonSet</div><div style='font-size: 10px; text-align: center;'>Alongside Forwarder</div>"] --> B["<div style='font-size: 14px;'>📡 Tail</div><div style='font-size: 10px; text-align: center;'>Pre-SIEM Stream</div>"]
B --> C["<div style='font-size: 14px;'>🔄 Transform</div><div style='font-size: 10px; text-align: center;'>into TenXObjects</div>"]
C --> D["<div style='font-size: 14px;'>🎁 Enrich</div><div style='font-size: 10px; text-align: center;'>Add Context</div>"]
D --> E["<div style='font-size: 14px;'>📊 Aggregate</div><div style='font-size: 10px; text-align: center;'>Group by Cost</div>"]
E --> F["<div style='font-size: 14px;'>📈 Report</div><div style='font-size: 10px; text-align: center;'>Publish Metrics</div>"]
classDef deploy fill:#7c3aed88,stroke:#6d28d9,color:#ffffff,stroke-width:2px,rx:8,ry:8
classDef receive fill:#9333ea88,stroke:#7c3aed,color:#ffffff,stroke-width:2px,rx:8,ry:8
classDef transform fill:#2563eb88,stroke:#1d4ed8,color:#ffffff,stroke-width:2px,rx:8,ry:8
classDef enrich fill:#059669,stroke:#047857,color:#ffffff,stroke-width:2px,rx:8,ry:8
classDef aggregate fill:#ea580c88,stroke:#c2410c,color:#ffffff,stroke-width:2px,rx:8,ry:8
classDef report fill:#16a34a88,stroke:#15803d,color:#ffffff,stroke-width:2px,rx:8,ry:8
class A deploy
class B receive
class C transform
class D enrich
class E aggregate
class F report🚙 DaemonSet: Runs 10x as a separate DaemonSet pod alongside your forwarder — not a sidecar inside it, not in the critical log path
📡 Tail: Reads the same pre-SIEM event stream the forwarder sees — from container logs, files, or a duplicated IPC channel
🔄 Transform: Structures log events into well-defined TenXObjects
🎁 Enrich: Applies enrichment rules to augment TenXObjects with intelligent context
📊 Aggregate: Groups TenXObjects to show data volume per event type, severity, and more
📈 Report: Publishes cost insight metrics for visualization and alerting
Architecture
The Reporter executes as a DaemonSet alongside your log forwarder to report on log/trace events before they ship to output destinations (e.g., Splunk, Datadog). Not in the critical log path.
Without 10x, a small segment of noisy app/infra event types can drive most log analytics and storage costs, with little to no cost visibility.
Forwarders ship events to log analyzers with no cost visibility.The 10x Engine runs as a DaemonSet alongside your forwarder to identify the app/infra events incurring the highest costs and report as metrics to the 10x Console.
Reporters publish event cost metrics to the 10x console.The 10x Engine runs as a DaemonSet alongside your forwarder to identify the app/infra events incurring the highest costs and report as metrics to a Metric output for visualization, alerting and anomaly detection.
Reporters publish event cost metrics to time-series DBs.Safety & Reliability
The Reporter runs as a DaemonSet alongside your log forwarder — not in the critical log path. If the Reporter crashes or stops, your logs continue flowing normally to your analyzer (insights go stale; the DaemonSet controller respawns the pod).
| Topic | Detail |
|---|---|
| Fail-independent design | Logs continue flowing if the Reporter goes down |
| Not in the log path | No latency, no mutation of forwarder configs |
| Resource requirements | 512MB heap + 2 threads handles 100+ GB/day |
| Rollback | helm uninstall takes ~1 minute, forwarders untouched |
See the Reporter FAQ for complete operational details, capacity planning, and deployment guidance.