is there any way to forward the osquery logs directly to spunk without files?

You can use Firehose as an intermediary and forward them from there to Splunk: https://fleetdm.com/docs/using-fleet/osquery-logs#splunk

firehose possible also not in the cloud?

Without Firehose you could use the filesystem logging destination and then have a log forwarder like vector or other splunk-specific forwarder import the logs from file.

ok thanks