There is not an add-on that can natively ingest Avro files. Splunk is not able to read it because .avro files are in a binary format that Splunk can't read. Alternatively, you can change the format to a text format prior to ingestion in order for Splunk to read it. For more information in this approach please check the answers post link below: https://answers.splunk.com/answers/83891/indexing-an-avro-file.html The example made is as follow: Avro to “json” conversion: Install Avro Tools: wget 'https://archive.apache.org/dist/avro/avro-1.7.5/py/avro-1.7.5.tar.gz' tar xvf avro-1.7.6.tar.gz cd avro-1.7.6 sudo python setup.py (https://setup.py/) install Install Avro Tools using PIP: pip install avro Conversion from Avro to json avro cat "/avro_file_path/*.avro" -- format json >"output_file_path/output.json" Data input >> Files & Directories >> Moniter "output_file_path/output.json" ... View more