Collect events with the Collector for Kubernetes

You can collect Kubernetes-related event data in different ways, depending on whether you want Kubernetes event objects, other Kubernetes API objects, or node-level systemd journal logs.

All of these collection methods send data through the logs pipeline.

Use cases

Use the following table to choose the collection method that matches your use case.

Use case Use For more information
Use the Helm chart to collect Kubernetes event objects from the Kubernetes API server. clusterReceiver.eventsEnabled Collect Kubernetes event objects with clusterReceiver
Configure the Collector directly to collect Kubernetes event objects from the Kubernetes API server. receivers.k8s_events in the logs pipeline Collect Kubernetes event objects with the Kubernetes Events Receiver
Collect Kubernetes API objects such as pods, deployments, services, or events. clusterReceiver.k8sObjects Collect Kubernetes objects, including events
Collect the Kubernetes events resource together with other Kubernetes objects. clusterReceiver.k8sObjects with name: events Collect Kubernetes objects, including events
Collect node-level service logs such as kubelet, containerd, or docker. logsCollection.journald Collect journald events

Collect Kubernetes event objects with clusterReceiver

If you deploy the Collector with the Helm chart, use clusterReceiver.eventsEnabled to enable Kubernetes event object collection. This setting is enabled by default.

Kubernetes event objects sent to Splunk Observability Cloud are controlled by the featureGates.sendK8sEventsToSplunkO11y feature gate. Enable this feature gate to send Kubernetes events to Splunk Observability Cloud.

When enabled, clusterReceiver.eventsEnabled adds the k8s_events receiver to the logs pipeline
YAML 
clusterReceiver:
  eventsEnabled: true

featureGates:
  sendK8sEventsToSplunkO11y: true
Note:

clusterReceiver.eventsEnabled is enabled by default.

To send Kubernetes events to Splunk Observability Cloud, you must also enable featureGates.sendK8sEventsToSplunkO11y.

Collect Kubernetes event objects with the Kubernetes Events Receiver

If you configure the Collector directly, add the k8s_events receiver to your Collector configuration and include it in the logs pipeline.

The Kubernetes Events Receiver collects new and updated Kubernetes event objects from the Kubernetes API server and emits them as OpenTelemetry logs.

The receiver supports service account authentication and can be scoped to specific namespaces. It also supports API throttling settings and optional storage to persist the latest Kubernetes resourceVersion across restarts.

YAML 
receivers:
  k8s_events:
    auth_type: serviceAccount
    namespaces: [default]

service:
  pipelines:
    logs:
      receivers: [k8s_events]
      exporters: [otlp]

Use this configuration method when you work directly with Collector components instead of using the Helm chart.

Collect Kubernetes objects, including events

To collect Kubernetes objects as logs, add clusterReceiver.k8sObjects to your configuration file and enable log collection by setting logsEnabled to true in either splunkObservability or splunkPlatform.

The k8sobjects receiver collects objects from the Kubernetes API server and sends them through the logs pipeline. It supports many object types, including pods, events, nodes, deployments, services, configmaps, and namespaces.

Use this option when you want to collect Kubernetes API objects more broadly, not just Kubernetes event objects.

clusterReceiver.k8sObjects supports the following fields:

  • name: Required. The Kubernetes object type to collect, such as pods, namespaces, or events.
  • mode: Defines how the object is collected. Supported values are pull and watch. The default is pull.
  • namespaces: If specified, the Collector collects objects only from the listed namespaces. By default, objects from all namespaces are included.
  • labelSelector: Select objects by label.
  • fieldSelector: Select objects by field.
  • interval: Applies only to pull mode. Sets how often the Collector pulls objects.
  • group: Optional. Specifies the API group when a resource exists in multiple groups, such as events.k8s.io.

Collection modes work as follows:

  • pull: Uses the Kubernetes list API to read all matching objects at a configured interval.
  • watch: Uses the Kubernetes watch API to keep a long-lived connection open and receive updates as objects change.
YAML 
splunkObservability:
  logsEnabled: true

clusterReceiver:
  k8sObjects:
    - name: pods
      mode: pull
      label_selector: environment in (production),tier in (frontend)
      field_selector: status.phase=Running
      interval: 15m
    - name: events
      mode: watch
      group: events.k8s.io
      namespaces: [default]

Use name: events under clusterReceiver.k8sObjects when you want to collect the Kubernetes events resource through the generic Kubernetes objects receiver instead of the dedicated Kubernetes events receiver.

Collect journald events

The Splunk Distribution of OpenTelemetry Collector for Kubernetes can also collect journald events from Kubernetes environments.

Use this option when you want to collect node-level service logs, such as kubelet, docker, or containerd logs. Journald collection reads from the systemd journal on the node. It doesn't collect Kubernetes event objects from the Kubernetes API server.

YAML 
logsCollection:
  journald:
    enabled: true
    directory: /run/log/journal
    units:
      - name: kubelet
        priority: info
      - name: docker
        priority: info
      - name: containerd
        priority: info
    index: ""