Splunk

Signals Provided

Logs - Application and container logs for correlation with root causes

Overview

Causely integrates with Splunk for log retrieval: when your container logs are already centralized in Splunk, Causely can query Splunk instead of the Kubernetes API to pull those logs and correlate them with service-level incidents and root causes.

Use this integration if:

Your logs are already shipped to Splunk (for example via Splunk Universal Forwarder, Fluentd, or other collectors).
You want Causely to surface relevant logs in the context of an active root cause or service malfunction, without collecting logs from Kubernetes directly.

Benefits

Automatic log context: Surfaces relevant logs in the context of an active root cause or service malfunction.
Container-level visibility: Displays container-level logs under affected services when abnormal behavior occurs (for example error spikes or degraded performance).
Faster resolution: Shows log lines and exceptions alongside root causes to validate issues and shorten time to understanding and resolution.

Setup

Step 1: Create a Kubernetes Secret for Splunk authentication

If your Splunk deployment requires authentication, create a Kubernetes Secret containing a Splunk token:

kubectl create secret generic splunk-secret \
  --namespace causely \
  --from-literal=token="your-splunk-token"

Use the same secret name in the configuration below (for example splunk-secret). If Splunk does not require authentication, you can omit the secret field in the configuration.

Step 2: Update the Kubernetes scraper configuration

Enable Splunk for log retrieval by adding the splunk block under the Kubernetes scraper in your causely-values.yaml (or Helm values):

scrapers:
  kubernetes:
    splunk:
      endpoint: "https://splunk:8089"
      secret: "splunk-secret"   # Optional: omit if no auth required
      index: "main"             # Optional: Splunk index for log queries; defaults to "main" if omitted
      insecureSkipVerify: false # Optional: set true only for dev/test to skip TLS verification (insecure)

Configuration reference

Field	Required	Description
`endpoint`	Yes	Splunk API endpoint URL (for example `https://splunk.example.com:8089`).
`secret`	No	Kubernetes secret name in the Causely namespace containing the key `token` with your Splunk token. Omit if authentication is not required.
`index`	No	Splunk index used for log queries. Defaults to `main` if omitted.
`insecureSkipVerify`	No	Set to `true` only in dev/test environments to skip TLS certificate verification. Insecure; do not use in production. Defaults to `false`.

Step 3: Install or upgrade Causely

Apply your values and install or upgrade the Causely Helm release so the mediator uses the Splunk configuration for log retrieval.

Authentication

Token: Include token in the Kubernetes secret referenced by secret. This is the standard way to authenticate to Splunk (for example HEC token or API token).
No auth: Omit the secret field in the configuration if your Splunk endpoint does not require authentication.

Supported log types

Container logs (stdout/stderr) that have been shipped to Splunk and are queryable in the configured index.

Result

Causely retrieves and displays logs from Splunk alongside a root cause, highlighting the precise errors or stack traces that occurred around the time of failure.
Logs are correlated with affected services and root causes to speed up validation and resolution.

Overview​

Benefits​

Setup​

Step 1: Create a Kubernetes Secret for Splunk authentication​

Step 2: Update the Kubernetes scraper configuration​

Configuration reference​

Step 3: Install or upgrade Causely​

Authentication​

Supported log types​

Result​