BindPlane OP and the BindPlane Agent can be used to collect data from your Splunk Universal Forwarders. This allows you to start taking advantage of BindPlane OP without the need to re-instrument your collectors at the edge.
By default, the Splunk Universal Forwarder (UF) sends data over TCP in Splunk’s proprietary Splunk to Splunk (S2S) protocol. In order to allow the Bindplane Agent to receive data from the UF, it will need to be sent in a raw format instead. This is accomplished by creating a Splunk output configuration stanza that disables the S2S protocol by setting the parameter sendCookedData to false.
Below is a sample outputs.conf file, after you’ve made the required changes.
[tcpout] defaultGroup = otel [tcpout:otel] server = localhost:8779 compressed = false useACK = false sendCookedData = false
This is the agent you’ll be routing data through, and is what will be managed by BindPlane OP. In a production environment, this is likely to be a fleet of agents behind a load balancer. See our Collector Sizing and Scaling docs for more details on determining your collector architecture.
- Create a new configuration
- Add the TCP Source and configure it to receive from your Universal Forwarders (as shown below)
- Add the Splunk destination and configure it to point to your Splunk Enterprise or Splunk Observability Cloud environment
Once you’ve verified data is flowing through the BindPlane Agent to Splunk without issue, you can now start re-routing data to different destinations and inserting processors into your pipleine to reduce the amount of data you’re sending.
Updated 3 months ago