Skip to main content
Version: 3.2

Splunk Load Balanced

Splunk is a streaming Destination type, and with the Splunk Load Balanced output, you can load-balance data out to multiple Splunk receivers.

For additional details about sending to Splunk Cloud, see Splunk Cloud and BYOL Integrations.

How Does Load Balancing Work

Cribl LogStream will attempt to load-balance outbound data as fairly as possibly across all receivers (listed as Destinations in the GUI). If FQDNs/hostnames are used as the Destination address and each resolves to, for example, 5 (unique) IPs, then each worker process will have its # of outbound connections = # of IPs x # of FQDNs for purposes of the SplunkLB output. Data is sent by all worker processes to all receivers simultaneously, and the amount sent to each receiver depends on these parameters:

  1. Respective destination weight.
  2. Respective destination historical data.

By default, historical data is tracked for 300s. LogStream uses this data to influence the traffic sent to each destination, to ensure that differences decay over time, and that total ratios converge towards configured weights.


Suppose we have two receivers, A and B, each with weight of 1 (i.e., they are configured to receive equal amounts of data). Suppose further that the load-balance stats period is set at the default 300s and – to make things easy – for each period, there are 200 events of equal size (Bytes) that need to be balanced.

IntervalTime RangeEvents to be dispensed
1time=0s ---> time=300s200

Both A and B start this interval with 0 historical stats each.

Let's assume that, due to various circumstances, 200 events are "balanced" as follows: A = 120 events and B = 80 events – a difference of 40 events and a ratio of 1.5:1.

IntervalTime RangeEvents to be dispensed
2time=300s ---> time=600s200

At the beginning of interval 2, the load-balancing algorithm will look back to the previous interval stats and carry half of the receiving stats forward. I.e., receiver A will start the interval with 60 and receiver B with 40. To determine how many events A and B will receive during this next interval, LogStream will use their weights and their stats as follows:

Total number of events: events to be dispensed + stats carried forward = 200 + 60 + 40 = 300. Number of events per each destination (weighed): 300/2 = 150 (they're equal, due to equal weight). Number of events to send to each destination A: 150 - 60 = 90 and B: 150 - 40 = 110.

Totals at end of interval 2: A=120+90=210, B=80+110=190, a difference of 20 events and a ratio of 1.1:1.

Over the subsequent intervals, the difference becomes exponentially less pronounced, and eventually insignificant. Thus, the load gets balanced fairly.

Configuring Cribl LogStream to Load-Balance to Multiple Splunk Destinations

In the QuickConnect UI: Click + Add beside Destinations. From the resulting drawer's tiles, select Splunk > Single Instance. Next, click either + Add New or (if displayed) Select Existing. The resulting drawer will provide the following options and fields.

Or, in the Data Routes UI: From the top nav of a LogStream instance or Group, select Data > Destinations. From the resulting page's tiles or the Destinations left nav, select Splunk > Single Instance. Next, click + Add New to open a New Destination modal that provides the following options and fields.

General Settings

Output ID: Enter a unique name to identify this Splunk LB Destination definition.

Indexer Discovery: When toggled to Yes, enables automatic discovery of indexers in an indexer clustering environment. See Indexer Discovery for the resulting UI options at the bottom of General Settings. When set to No (the default), instead displays the Destinations section at the bottom of General Settings.

Exclude current host IPs: Exclude all IPs of the current host from the list of any resolved hostnames. Defaults to Yes.

Backpressure behavior: Select whether to block, drop, or queue events when all receivers in this group are exerting backpressure. (Causes might include a broken or denied connection, or a rate limiter.) Defaults to Block. When toggled to Persistent Queue, adds the Persistent Queue Settings section (left tab) to the modal.


The Destinations section appears only when Indexer discovery is set to its No default. Here, you specify a known set of Splunk receivers on which to load-balance data.

Click + Add Destination to specify more receivers on new rows. Each row provides the following fields:

  • Address: Hostname of the Splunk receiver. Optionally, you can paste in a comma-separated list, in <host>:<port> format.

  • Port: Port number to send data to.

  • TLS: Whether to inherit TLS configs from group setting, or disable TLS. Defaults to inherit.

  • TLS servername: Servername to use if establishing a TLS connection. If not specified, defaults to connection host (if not an IP). Otherwise, uses the global TLS settings.

  • Load weight: The weight to apply to this Destination for load-balancing purposes.

Indexer Discovery

Toggling the Indexer Discovery toggle to Yes displays the following fields instead of the Destinations section:

Site: Clustering site from which indexers need to be discovered. In the case of a single site cluster, default is the default entry.

Cluster Manager URI: Full URI of Splunk cluster manager, in the format: scheme://host:port. (Worker Nodes normally access the cluster manager on port 8089 to get the list of currently online indexers.)

Auth token: Authentication token required to authenticate to the cluster manager for indexer discovery.

Refresh period: Time interval (in seconds) between two consecutive fetches of indexer list from cluster manager. Defaults to 300 seconds, i.e., 5 minutes.

Each Worker Process performs its own indexer discovery according to the above settings.

Enabling Cluster Manager Authentication

To enable token authentication on the Splunk cluster manager, you can find complete instructions in Splunk's Enable or Disable Token Authentication documentation. This option requires Splunk 7.3.0 or higher, and requires the following capabilites: list_indexer_cluster and list_indexerdiscovery.

For details on creating the token, see Splunk's Create Authentication Tokens topic – especially its section on how to Configure Token Expiry and "Not Before" Settings.

Be sure to give the token an Expiration setting well in the future, whether you use Relative Time or Absolute Time. Otherwise, the token will inherit Splunk's default expiration time of +30d (30 days in the future), which will cause indexer discovery to fail.

If you have a failover site configured on Splunk's cluster manager, Cribl respects this configuration, and forwards the data to the failover site in case of site failure.

Persistent Queue Settings

This section is displayed when the Backpressure behavior is set to Persistent Queue.

Max file size: The maximum size to store in each queue file before closing it. Enter a numeral with units of KB, MB, etc. Defaults to 1 MB.

Max queue size: The maximum amount of disk space the queue is allowed to consume. Once this limit is reached, queueing is stopped, and data blocking is applied. Enter a numeral with units of KB, MB, etc.

Queue file path: The location for the persistent queue files. This will be of the form: your/path/here/<worker-id>/<output-id>. Defaults to $CRIBL_HOME/state/queues.

Compression: Codec to use to compress the persisted data, once a file is closed. Defaults to None; Gzip is also available.

Queue-full behavior: Whether to block or drop events when the queue is exerting backpressure (because disk is low or at full capacity). Block is the same behavior as non-PQ blocking. Drop new data drops the newest events being sent out of LogStream, throws away incoming data, and leaves the contents of the PQ unchanged.

TLS Settings (Client Side)

Enabled defaults to No. When toggled to Yes:

Validate server certs: Toggle to Yes to reject certificates that are not authorized by a CA in the CA certificate path, nor by another trusted CA (e.g., the system's CA).

Server name (SNI): Server name for the SNI (Server Name Indication) TLS extension. This must be a host name, not an IP address.

Certificate name: The name of the predefined certificate.

CA certificate path: Path on client containing CA certificates (in PEM format) to use to verify the server's cert. Path can reference $ENV_VARS.

Private key path (mutual auth): Path on client containing the private key (in PEM format) to use. Path can reference $ENV_VARS. Use only if mutual auth is required.

Certificate path (mutual auth): Path on client containing certificates in (PEM format) to use. Path can reference $ENV_VARS. Use only if mutual auth is required.

Passphrase: Passphrase to use to decrypt private key.

Minimum TLS version: Optionally, select the minimum TLS version to use when connecting.

Maximum TLS version: Optionally, select the maximum TLS version to use when connecting.

Single PEM File

If you have a single .pem file containing cacert, key, and cert sections, enter this file's path in all of these fields above: CA certificate path, Private key path (mutual auth), and Certificate path (mutual auth).

Timeout Settings

  • Connection timeout: Amount of time (in milliseconds) to wait for the connection to establish, before retrying. Defaults to 10000 ms.

  • Write timeout: Amount of time (in milliseconds) to wait for a write to complete, before assuming connection is dead. Defaults to 60000 ms.

Processing Settings


Pipeline: Pipeline to process data before sending the data out using this output.

System fields: A list of fields to automatically add to events that use this output. By default, includes cribl_pipe (identifying the LogStream Pipeline that processed the event). Supports wildcards. Other options include:

  • cribl_host – LogStream Node that processed the event.
  • cribl_wp – LogStream Worker Process that processed the event.
  • cribl_input – LogStream Source that processed the event.
  • cribl_output – LogStream Destination that processed the event.

Advanced Settings

Output Multi Metrics: Toggle this slider to Yes to output multiple-measurement metric data points. (Supported in Splunk 8.0 and above, this format enables sending multiple metrics in a single event, improving the efficiency of your Splunk capacity.)

Minimize in-flight data loss: If set to Yes (the default), LogStream will check whether the indexer is shutting down and, if so, stop sending data. This helps minimize data loss during shutdown.

DNS resolution period (seconds): Re-resolve any hostnames after each interval of this many seconds, and pick up destinations from A records. Defaults to 600 seconds.

Load balance stats period (seconds): Lookback traffic history period. Defaults to 300 seconds. (Note that If multiple receivers are behind a hostname – i.e., multiple A records – all resolved IPs will inherit the weight of the host, unless each IP is specified separately. In Cribl LogStream load balancing, IP settings take priority over those from hostnames.)

Max connections: Constrains the number of concurrent indexer connections, per Worker Process, to limit memory utilization. If set to a number > 0, then on every DNS resolution period (or indexer discovery), LogStream will randomly select this subset of discovered IPs to connect to. LogStream will rotate IPs in future resolution periods – monitoring weight and historical data, to ensure fair load balancing of events among IPs.

Nested field serialization: Specifies whether and how to serialize nested fields into index-time fields. Select None (the default) or JSON.

Authentication method: Use the buttons to select one of these options:

  • Manual: In the resulting Auth token field, enter the shared secret token to use when establishing a connection to a Splunk indexer.

  • Secret: This option exposes a Auth token (text secret) drop-down, in which you can select a stored secret that references the auth token described above. A Create link is available to store a new, reusable secret.

Throttling: Throttle rate, in bytes per second. Multiple byte units such as KB, MB, GB, etc., are also allowed. E.g., 42 MB. Default value of 0 indicates no throttling. When throttling is engaged, excess data will be dropped only if Backpressure behavior is set to Drop events. (Data will be blocked for all other Backpressure behavior settings.)

Environment: If you're using GitOps, optionally use this field to specify a single Git branch on which to enable this configuration. If empty, the config will be enabled everywhere.

SSL Configuration for Splunk Cloud – Special Note

To connect to Splunk Cloud, you will need to extract the private and public keys from the Splunk-provided Splunk Cloud Universal Forwarder credentials package. You will also need to reference the CA Certificate located in the same package.

You can reuse many of the settings in this Splunk Cloud package to set up Splunk Cloud Destinations. Use the following steps:

Step 1. Extract the splunkclouduf.spl package on the LogStream instance that you will be connecting to Splunk Cloud. You will have a folder that looks something like this:


Step 2. (optional) Test connectivity to Splunk Cloud, using the Root CA certificate:

openssl s_client -CA 100_<your-splunk-cloud>_splunkcloud/default/my-splunk-cloud_cacert.pem -connect inputs1.<your-splunk-cloud> 

To test the connection, you can use any of the URLs listed in the [tcpout:splunkcloud] stanza's outputs.conf section.

You can simplify Steps 3 and 4 below by dragging and dropping (or uploading) the .pem files into LogStream's New Certificates modal. See SSL Certificate Configuration.

Step 3. Extract the private key from the Splunk Cloud certificate. At the prompt, you will need the sslPassword value from the outputs.conf. Using Elliptic Curve keys:

openssl ec -in 100_<your-splunk-cloud>_splunkcloud/default/<your-splunk-cloud>_server_cert.pem -out private.pem

If you are using RSA keys, instead use:

openssl rsa 100_<your-splunk-cloud>_splunkcloud/default/<your-splunk-cloud>_server_cert.pem -out private.pem

Step 4. Extract the public key for the Server Certificate:

openssl x509 -in 100_<your-splunk-cloud>_splunkcloud/default/<your-splunk-cloud>_server_cert.pem -out server.pem

Step 5. In the Splunk Load Balanced Destination's TLS Settings (Client Side) section, enter the following:

  • CA Certificate Path: Path to <your-splunk-cloud>_cacert.pem.
  • Private Key Path (mutual auth): Path to private.pem (Step 3 above).
  • Certificate Path (mutual auth): Path to server.pem (Step 4 above).

In a distributed deployment, enter this Destination configuration on each Worker Group that forwards to Splunk Cloud. Then commit and deploy your changes.

Step 6. In a distributed deployment, enable Worker UI access, and verify that the Certificate files have been distributed to individual workers. If they are not present, copy the Certificate files to the Workers, using exactly the same paths you used at the Group level.

Notes About Forwarding to Splunk

  • Data sent to Splunk is not compressed.

  • The only ack from indexers that LogStream listens for and acts upon is the shutdown signal described in Minimize in-flight data loss above.

  • If events have a LogStream internal field called __criblMetrics, they'll be forwarded to Splunk as metric events.

  • If events do not have a _raw field, they'll be serialized to JSON prior to sending to Splunk.

  • You can copy and paste the Splunk Cloud servers from the [tcpout:splunkcloud] stanza] into the Splunk Load Balanced Destination's General Settings > Destinations section. E.g., from the example stanza below, you would copy only the bolded contents:


    server =,,,,,,,,,,,,,,

    compressed = false

  • From limits.conf, copy the [thruput] value, and paste it into the Splunk Load Balanced Destination's Advanced Settings tab > Throttling setting.