Goals

• Provide a new output option to forward logs to Splunk.

Non-Goals

Motivation

Usually, we recommend to use Splunk Connect for Kubernetes but some customers have requirements to send logs to multiple, different systems including Splunk. For these use cases, they'd like to avoid deploying multiple different "Agents" and want to use our supported solution instead.

Alternatives

For forwarding logs only to Splunk, users should use Splunk Connect for Kubernetes.

Acceptance Criteria

Risk and Assumptions

Documentation Considerations

Open Questions

Additional Notes

Original Request =========================================
Proposed title of this feature request

Support Splunk as output for ClusterLogForwarder

What is the nature and description of the request?

Splunk is one of the big players in logging management and nowadays there's no direct support to it in ClusterLogForwarder.

Why does the customer need this?

Customer has a mix of external Elasticsearch and Splunk clusters and would like to send the logs directly from Fluentd to it using HEC via the fluent-plugin-splunk-hec plugin, which is already present in the redhat fluentd image used on OCP4.

They're aware of valid solutions like setting an external Fluentd and forward the logs from there to Splunk, but considering how popular is Splunk makes sense to make it a supported ouptut.

List any affected packages or components.

Cluster Logging