Optimization

How the 10x for Splunk app expands compact events at search time, search-time overhead, potential license-tier reduction, and what happens to events the Receiver filters out.

How does the 10x for Splunk app expand optimized events

On Splunk, self-hosted Elasticsearch or OpenSearch, and ClickHouse, the Receiver compacts events losslessly (a modeled ~50–80% reduction) before they hit Splunk, so the saving lands on your license bill. The open-source 10x for Splunk app keeps that saving invisible to searchers: it automatically expands compact events back to their full original form before displaying results.

How it works:

  1. A dedicated /tenx-search REST endpoint accepts a normal search
  2. The handler rewrites the search to include the tenx-inflate macro and creates a Splunk search job
  3. The macro joins compact events with templates from the KV Store
  4. Full-fidelity events returned with original field names and values

Storage architecture:

  • Templates stored in the tenx_dml KV Store collection
  • Compact events carry sourcetype tenx_encoded (in your existing index)
  • Hash references link events to their templates

Built-in Analytics Dashboard shows:

  • Total compact events and active templates
  • Reduction ratio and storage savings
  • Event volume trends over time
  • Top templates by usage
  • Expansion success rate

User experience: Completely transparent. Users search, build dashboards, and configure alerts exactly as before--on the original full-fidelity data.

Open source: Available on GitHub.

What is the search-time overhead in Splunk

A one-time template resolution matches search terms against the templates. Per-event expansion uses a KV Store primary-key lookup and native SPL functions, negligible overhead per event. Queries, dashboards, and alerts work unchanged.

The 10x Engine processes events at sub-millisecond per event, 100+ GB/day on a single node (512 MB heap, 2 threads). For resource requirements, scaling tables, and architecture details, see Performance FAQ.

Can 10x reduce our Splunk license tier

Yes. Compaction lands on the license bill because Splunk bills on uncompressed ingest, and combined with filtering the pipeline cuts billed volume by a modeled 60–70%, enough to move you to a lower license tier. See pricing for details.

Splunk's list rate runs around $6/GB, so every GB/day removed from sustained ingest compounds across the year. The exact tier boundary you cross depends on your contract; measure the sustained post-optimization average before renegotiating.

License renewal strategy: Deploy 10x ahead of renewal to demonstrate sustained reduction, then negotiate the new tier based on the post-optimization average.

Typical deployment sequence:

  • Cost analysis: Agentless analysis via the MCP server's SIEM-sample tool (read-only Splunk REST API query). Or deploy the Reporter DaemonSet for pre-SIEM cost visibility.
  • Deploy: Deploy the Receiver in Compact mode alongside your forwarders via Helm
  • Validate: Measure sustained reduction, validate with Splunk license usage reports
  • Renewal: Negotiate new tier based on demonstrated lower ingestion

Splunk Cloud: Works with Ingest-based pricing. Directly reduces GB ingested, lowering monthly costs proportionally.

What happens to logs filtered by the Receiver

The Receiver in Filter mode identifies low-priority logs (excessive debug, health checks, noise) based on your configured budget and severity thresholds. You control what happens to the filtered logs:

  • Archive to S3/object storage: Route to low-cost storage for compliance. Query via Athena or rehydrate to Splunk on-demand.
  • Route to different Splunk index: Send to a cheaper "cold" index with longer retention but lower priority.
  • Drop completely: Eliminate entirely after a validation period.

The Receiver exports cost metrics per event type (volume filtered, spend rate, and sampling ratios), queryable via the Prometheus Metrics API.