Skip to content

Splunk UF Input

Splunk Universal Forwarder inputs use a file relay pattern with Fluent Bit + 10x to report, regulate, and optimize events before Splunk UF ships them to Splunk indexers. This approach keeps UF as the forwarder (handling buffering, retries, timeouts) while 10x processes events inline.

Architecture

graph LR
    A["<div style='font-size: 14px;'>📝 App Logs</div><div style='font-size: 10px;'>Folder A</div>"] --> B["<div style='font-size: 14px;'>🔧 Fluent Bit</div><div style='font-size: 10px;'>+ 10x sidecar</div>"]
    B --> C["<div style='font-size: 14px;'>📂 Processed</div><div style='font-size: 10px;'>Folder B</div>"]
    C --> D["<div style='font-size: 14px;'>📤 Splunk UF</div><div style='font-size: 10px;'>monitors B</div>"]
    D --> E["<div style='font-size: 14px;'>🔍 Splunk</div><div style='font-size: 10px;'>Indexers</div>"]

    classDef logs fill:#2563eb,stroke:#1d4ed8,color:#ffffff,stroke-width:2px,rx:8,ry:8
    classDef fluentbit fill:#ea580c,stroke:#c2410c,color:#ffffff,stroke-width:2px,rx:8,ry:8
    classDef processed fill:#7c3aed,stroke:#6d28d9,color:#ffffff,stroke-width:2px,rx:8,ry:8
    classDef uf fill:#0891b2,stroke:#0e7490,color:#ffffff,stroke-width:2px,rx:8,ry:8
    classDef splunk fill:#16a34a,stroke:#15803d,color:#ffffff,stroke-width:2px,rx:8,ry:8

    class A logs
    class B fluentbit
    class C processed
    class D uf
    class E splunk

Data Flow

  • 📝 App Logs (Folder A) - Application writes logs to original location
  • 🔧 Fluent Bit + 10x - Reads from Folder A, processes events (report/regulate/optimize)
  • 📂 Processed Logs (Folder B) - 10x writes processed output to new location
  • 📤 Splunk UF - Monitors Folder B with standard inputs.conf, handles forwarding
  • 🔍 Splunk Indexers - Receives processed events via standard S2S protocol

Why File Relay?

Benefit Description
🔧 Standard UF No protocol changes, no enableOldS2SProtocol flag
👤 App Team Control Configure without Splunk admin involvement
🔒 UF Handles Reliability Buffering, retries, and timeouts stay with UF
Proven Pattern Uses existing Fluent Bit + 10x integration

When to Use

This module is recommended for VM/traditional infrastructure where Splunk UF is deployed. For Kubernetes environments, Splunk recommends Splunk Connect for Kubernetes (which uses Fluent Bit) - use the Fluent Bit module directly in that case.

Key Files

This module uses the Fluent Bit forwarder module under the hood:

File Purpose
fluentbit/conf/tenx-optimize.conf Fluent Bit config for optimize mode
fluentbit/conf/tenx-regulate.conf Fluent Bit config for regulate mode
fluentbit/conf/tenx-report.conf Fluent Bit config for report mode

For setup instructions, see the mode-specific documentation: Report, Regulate, Optimize.

Modules

  • Splunk UF Reporter

    Report on events before shipping to Splunk via Universal Forwarder.

    More info

  • Splunk UF Regulator

    Regulate events before shipping to Splunk via Universal Forwarder.

    More info

  • Splunk UF Optimizer

    Optimize events before shipping to Splunk via Universal Forwarder.

    More info


This module is defined in splunkUF/module.yaml.