Using Splunk UF with BindPlane OP

BindPlane OP and the BindPlane Agent can be used to collect data from your Splunk Universal Forwarders. This allows you to start taking advantage of BindPlane OP without the need to re-instrument your collectors at the edge.

Step 1: Update your outputs.conf on your Universal Forwarders

By default, the Splunk Universal Forwarder (UF) sends data over TCP in Splunk’s proprietary Splunk to Splunk (S2S) protocol. In order to allow the Bindplane Agent to receive data from the UF, it will need to be sent in a raw format instead. This is accomplished by creating a Splunk output configuration stanza that disables the S2S protocol by setting the parameter sendCookedData to false.

Below is a sample outputs.conf file, after you’ve made the required changes.

defaultGroup = otel

server = localhost:8779  
compressed = false  
useACK = false  
sendCookedData = false

Step 2: Deploy a BindPlane Agent as an aggregator

This is the agent you’ll be routing data through, and is what will be managed by BindPlane OP. In a production environment, this is likely to be a fleet of agents behind a load balancer. See our Collector Sizing and Scaling docs for more details on determining your collector architecture.

Step 3: Build the Configuration

  1. Create a new configuration
  2. Add the TCP Source and configure it to receive from your Universal Forwarders (as shown below)
  1. Add the Splunk destination and configure it to point to your Splunk Enterprise or Splunk Observability Cloud environment

Step 4: Transform the Data

Once you’ve verified data is flowing through the BindPlane Agent to Splunk without issue, you can now start re-routing data to different destinations and inserting processors into your pipleine to reduce the amount of data you’re sending.