Using Splunk UF with Bindplane

Bindplane and the Bindplane Collector can be used to collect data from your Splunk Universal Forwarders. This allows you to start taking advantage of Bindplane without the need to re-instrument your collectors at the edge.

Step 1: Update your outputs.conf on your Universal Forwarders

By default, the Splunk Universal Forwarder (UF) sends data over TCP in Splunk’s proprietary Splunk to Splunk (S2S) protocol. In order to allow the Bindplane Collector to receive data from the UF, it will need to be sent in a raw format instead. This is accomplished by creating a Splunk output configuration stanza that disables the S2S protocol by setting the parameter sendCookedData to false.

Below is a sample outputs.conf file, after you’ve made the required changes.

[tcpout]
defaultGroup = otel

[tcpout:otel]
server = localhost:8779
compressed = false
useACK = false
sendCookedData = false

Step 2: Deploy a Bindplane Collector as a Gateway

This is the collector you’ll be routing data through and is what will be managed by Bindplane. In a production environment, this is likely to be a fleet of collectors behind a load balancer. See our Collector Sizing and Scaling docs for more details on determining your collector architecture.

Step 3: Build the Configuration

1. Create a new configuration

2. Add the TCP Source and configure it to receive from your Universal Forwarders (as shown below)

1. Add the Splunk destination and configure it to point to your Splunk Enterprise or Splunk Observability Cloud environment.

Step 4: Transform the Data

Once you’ve verified data is flowing through the Bindplane Collector to Splunk without issue, you can now start re-routing data to different destinations and inserting processors into your pipeline to reduce the amount of data you’re sending.