Kubernetes Search app icon

Kubernetes Search

Query your Kubernetes clusters live from the Splunk search bar - like kubectl, as SPL. List resources, stream pod logs, read events, and describe objects across every registered cluster. Read-only and RBAC-controlled. No in-cluster agent, no ingestion, no index storage. Free tier for one cluster; a paid license unlocks multi-cluster and per-user access.

Built by Outcold Solutions LLC
splunk product badge
screenshot
screenshot
screenshot
screenshot
Latest Version 1.0.0
June 16, 2026
Compatibility
Splunk Enterprise, Splunk Cloud
Platform Version: 10.4, 10.3, 10.2, 10.1, 10.0, 9.4
Rating

5

(1)

Log in to rate this app
Support
Kubernetes Search support icon
Developer Supported app
Kubernetes Search brings live, read-only access to the Kubernetes API into the Splunk search bar. Instead of switching to a terminal and kubectl, you run SPL - | k8s kind=pods namespace=payments - and Splunk queries the cluster's API server directly and streams the current state into your search. The problem it solves: when something breaks in a cluster, the question is usually "what is true right now?" - is the pod still crash-looping, what do its events say, is the node Ready. Answering that has meant leaving Splunk, holding cluster credentials, and running kubectl by hand. Ingestion pipelines give you history, but at the cost of storage and license volume, and they show the cluster only as of the last sample. Kubernetes Search answers the live question from inside Splunk, with no credentials handed out and every query recorded in the Splunk audit log. How it works: - Five search commands cover the common kubectl verbs: | k8s (list or get any resource), | k8slogs (stream pod logs), | k8sevents (cluster events), | k8sdescribe (an object plus its events), and | k8syaml (format JSON as YAML). - Everything runs on the search head and is strictly read-only - it never applies, scales, or deletes anything. - Nothing is indexed: no storage cost, no license volume, no source types, no field extractions. Results exist only for the life of your search. - Register many clusters and fan out with context=* - each row carries a cluster field, so you query and aggregate across your whole fleet from one pane. - Access is gated by a Splunk capability and a per-cluster credential model (shared, per-user, or Kubernetes impersonation), so analysts get controlled, audited read access without being handed kubectl or cluster credentials. - A short-lived on-disk cache keeps dashboards from hammering your API servers; Secrets are never cached. There is no agent to install in your cluster - only a network route from the search head to the API server and a credential. The app installs on search heads only and writes nothing to any index. It pairs naturally with ingestion: use Monitoring Kubernetes or OpenTelemetry for history and trends, and Kubernetes Search for the live picture - in the same Splunk session. Kubernetes Search runs on a free tier with no license key (one cluster, single standalone search head). A paid license unlocks multiple clusters, search head clustering, per-user credentials, and impersonation. Built and supported by Outcold Solutions. Documentation: https://www.outcoldsolutions.com/docs/kubernetes-search/

Categories

IT Operations, DevOps

Created By

Outcold Solutions LLC

Type

app

Licensing

Customer License Agreement for App(Opens new window)

Splunk Answers

Ask a question about this app listing(Opens new window)

Resources

Log in to report this app listing