Splunk Load Balanced

The Splunk Load Balanced Destination can load-balance the data it streams to multiple Splunk receivers. Downstream Splunk instances receive the data cooked and parsed.

Type: Streaming | TLS Support: Configurable | PQ Support: Yes

For additional details about sending to Splunk Cloud, see Splunk Cloud and BYOL Integrations.

Configuring Cribl Stream to Load-Balance to Multiple Splunk Destinations

From the top nav, click Manage, then select a Worker Group to configure. Next, you have two options:

To configure via the graphical QuickConnect UI, click Routing > QuickConnect (Stream) or Collect (Edge). Next, click Add Destination at right. From the resulting drawer’s tiles, select Splunk > Load Balanced. Next, click either Add Destination or (if displayed) Select Existing. The resulting drawer will provide the options below.

Or, to configure via the Routing UI, click Data > Destinations (Stream) or More > Destinations (Edge). From the resulting page’s tiles or the Destinations left nav, select Splunk > Load Balanced. Next, click Add Destination to open a New Destination modal that provides the options below.

General Settings

Output ID: Enter a unique name to identify this Splunk LB Destination definition.

Toggling Indexer discovery to Yes enables automatic discovery of indexers in an indexer clustering environment. This hides both Exclude current host IPs and the Destinations section, and displays the following fields:

Site: Clustering site from which indexers need to be discovered. In the case of a single site cluster, default is the default entry.

Cluster Manager URI: Full URI of Splunk cluster manager, in the format: scheme://host:port. (Worker Nodes/Edge Nodes normally access the cluster manager on port 8089 to get the list of currently online indexers.)

Refresh period: Time interval (in seconds) between two consecutive fetches of indexer list from cluster manager. Defaults to 300 seconds, i.e., 5 minutes.

Authentication method: Use the buttons to select one of these options for authenticating to cluster Manager for indexer discovery:

  • Manual: In the resulting Auth token field, enter the required token.

  • Secret: This option exposes a Auth token (text secret) drop-down, in which you can select a stored secret that references the auth token. A Create link is available to store a new, reusable secret.

Each Worker Process performs its own indexer discovery according to the above settings.

Destinations

The Destinations section appears only when Indexer discovery is set to its No default. Here, you specify a known set of Splunk receivers on which to load-balance data.

Click Add Destination to specify more receivers on new rows. Each row provides the following fields:

  • Address: Hostname of the Splunk receiver. Optionally, you can paste in a comma-separated list, in <host>:<port> format.

  • Port: Port number to send data to.

  • TLS: Whether to inherit TLS configs from group setting, or disable TLS. Defaults to inherit.

  • TLS servername: Servername to use if establishing a TLS connection. If not specified, defaults to connection host (if not an IP). Otherwise, uses the global TLS settings.

  • Load weight: Set the relative traffic-handling capability for each connection by assigning a weight (> 0). This column accepts arbitrary values, but for best results, assign weights in the same order of magnitude to all connections. Cribl Stream will attempt to distribute traffic to the connections according to their relative weights.

The final column provides an X button to delete any row from the Destinations table.

For details on configuring all load balancing settings, see About Load Balancing.

Optional Settings

Toggle Exclude current host IPs to Yes if you want to exclude all the current host’s IP addresses from the list of resolved hostnames.

Backpressure behavior: Select whether to block, drop, or queue events when all receivers in this group are exerting backpressure. (Causes might include a broken or denied connection, or a rate limiter.) Defaults to Block. When toggled to Persistent Queue, adds the Persistent Queue Settings section (left tab) to the modal.

Tags: Optionally, add tags that you can use to filter and group Destinations in Cribl Stream’s Manage Destinations page. These tags aren’t added to processed events. Use a tab or hard return between (arbitrary) tag names.

Enabling Cluster Manager Authentication

To enable token authentication on the Splunk cluster manager, you can find complete instructions in Splunk’s Enable or Disable Token Authentication documentation. This option requires Splunk 7.3.0 or higher, and requires the following capabilites: list_indexer_cluster and list_indexerdiscovery.

For details on creating the token, see Splunk’s Create Authentication Tokens topic – especially its section on how to Configure Token Expiry and “Not Before” Settings.

Be sure to give the token an Expiration setting well in the future, whether you use Relative Time or Absolute Time. Otherwise, the token will inherit Splunk’s default expiration time of +30d (30 days in the future), which will cause indexer discovery to fail.

If you have a failover site configured on Splunk’s cluster manager, Cribl respects this configuration, and forwards the data to the failover site in case of site failure.

Persistent Queue Settings

This tab is displayed when the Backpressure behavior is set to Persistent Queue.

On Cribl-managed Cribl.Cloud Workers (with an Enterprise plan), this tab exposes only the destructive Clear Persistent Queue button (described below in this section). A maximum queue size of 1 GB disk space is automatically allocated per PQ‑enabled Destination, per Worker Process. The 1 GB limit is on outbound uncompressed data, and no compression is applied to the queue.

This limit is not configurable. If the queue fills up, Cribl Stream will block outbound data. To configure the queue size, compression, queue-full fallback behavior, and other options below, use a hybrid Group.

Max file size: The maximum data volume to store in each queue file before closing it. Enter a numeral with units of KB, MB, etc. Defaults to 1 MB.

Max queue size: The maximum amount of disk space that the queue is allowed to consume on each Worker Process. Once this limit is reached, this Destination will stop queueing data and apply the Queue‑full behavior. Required, and defaults to 5 GB. Accepts positive numbers with units of KB, MB, GB, etc. Can be set as high as 1 TB, unless you’ve configured a different Max PQ size per Worker Process in Group Settings.

Queue file path: The location for the persistent queue files. Defaults to $CRIBL_HOME/state/queues. To this value, Cribl Stream will append /<worker‑id>/<output‑id>.

Compression: Codec to use to compress the persisted data, once a file is closed. Defaults to None; Gzip is also available.

Queue-full behavior: Whether to block or drop events when the queue is exerting backpressure (because disk is low or at full capacity). Block is the same behavior as non-PQ blocking, corresponding to the Block option on the Backpressure behavior drop-down.. Drop new data drops the newest events being sent out of Cribl Stream, throws away incoming data, and leaves the contents of the PQ unchanged.

TLS Settings (Client Side)

Enabled defaults to No. When toggled to Yes:

Validate server certs: Reject certificates that are not authorized by a CA in the CA certificate path, nor by another trusted CA (e.g., the system’s CA). Defaults to Yes.

Server name (SNI): Server name for the SNI (Server Name Indication) TLS extension. This must be a host name, not an IP address.

Minimum TLS version: Optionally, select the minimum TLS version to use when connecting.

Maximum TLS version: Optionally, select the maximum TLS version to use when connecting.

Certificate name: The name of the predefined certificate.

CA certificate path: Path on client containing CA certificates (in PEM format) to use to verify the server’s cert. Path can reference $ENV_VARS.

Private key path (mutual auth): Path on client containing the private key (in PEM format) to use. Path can reference $ENV_VARS. Use only if mutual auth is required.

Certificate path (mutual auth): Path on client containing certificates in (PEM format) to use. Path can reference $ENV_VARS. Use only if mutual auth is required.

Passphrase: Passphrase to use to decrypt private key.

Single PEM File

If you have a single .pem file containing cacert, key, and cert sections, enter this file’s path in all of these fields above: CA certificate path, Private key path (mutual auth), and Certificate path (mutual auth).

Timeout Settings

  • Connection timeout: Amount of time (in milliseconds) to wait for the connection to establish, before retrying. Defaults to 10000 ms.

  • Write timeout: Amount of time (in milliseconds) to wait for a write to complete, before assuming connection is dead. Defaults to 60000 ms.

Processing Settings

Post-Processing

Pipeline: Pipeline to process data before sending the data out using this output.

System fields: A list of fields to automatically add to events that use this output. By default, includes cribl_pipe (identifying the Cribl Stream Pipeline that processed the event). Supports wildcards. Other options include:

  • cribl_host – Cribl Stream Node that processed the event.
  • cribl_input – Cribl Stream Source that processed the event.
  • cribl_output – Cribl Stream Destination that processed the event.
  • cribl_route – Cribl Stream Route (or QuickConnect) that processed the event.
  • cribl_wp – Cribl Stream Worker Process that processed the event.

Advanced Settings

Output multiple metrics: Toggle to Yes to output multiple-measurement metric data points. (Supported in Splunk 8.0 and above, this format enables sending multiple metrics in a single event, improving the efficiency of your Splunk capacity.)

Minimize in-flight data loss: If set to Yes (the default), Cribl Stream will check whether the indexer is shutting down, and if so, will stop sending data. This helps minimize data loss during shutdown. (Note that Splunk logs will indicate that the Cribl app has set UseAck to true, even though Cribl does not enable full UseAck behavior.) If toggled to No, exposes the following alternative option:

Max failed health checks: Displayed (and set to 1 by default) only if Minimize in‑flight data loss is disabled. This option sends periodic requests to Splunk once per minute, to verify that the Splunk endpoint is still alive and can receive data. Its value governs how many failed requests Cribl Stream will allow before closing this connection.

A low threshold value improves connections’ resilience, but by proliferating connections, this can complicate troubleshooting. Set to 0 to disable health checks entirely – here, if the connection to Splunk is forcibly closed, you risk some data loss.

Max S2S version: The highest version of the Splunk-to-Splunk protocol to expose during handshake. Defaults to v3; v4 is also available.

DNS resolution period (seconds): Re-resolve any hostnames after each interval of this many seconds, and pick up destinations from A records. Defaults to 600 seconds.

Load balance stats period (seconds): Lookback traffic history period. Defaults to 300 seconds. (Note that If multiple receivers are behind a hostname – i.e., multiple A records – all resolved IPs will inherit the weight of the host, unless each IP is specified separately. In Cribl Stream load balancing, IP settings take priority over those from hostnames.)

Max connections: Constrains the number of concurrent indexer connections, per Worker Process, to limit memory utilization. If set to a number > 0, then on every DNS resolution period (or indexer discovery), Cribl Stream will randomly select this subset of discovered IPs to connect to. Cribl Stream will rotate IPs in future resolution periods – monitoring weight and historical data, to ensure fair load balancing of events among IPs.

Nested field serialization: Specifies whether and how to serialize nested fields into index-time fields. Select None (the default) or JSON.

Authentication method: Use the buttons to select one of these options:

  • Manual: In the resulting Auth token field, enter the shared secret token to use when establishing a connection to a Splunk indexer.

  • Secret: This option exposes an Auth token (text secret) drop-down, in which you can select a stored secret that references the auth token described above. A Create link is available to store a new, reusable secret.

Log failed requests to disk: Toggling to Yes makes the payloads of any (future) failed requests available for inspection. See Inspecting Payloads to Troubleshoot Closed Connections below.

Endpoint health fluctuation time allowance (ms): How long (in milliseconds) each receiver endpoint can report blocked, before this Destination as a whole reports unhealthy, blocking senders. (Grace period for transient fluctuations.) Use 0 to disable the allowance; default is 100 ms; maximum allowed value is 60000 ms (1 minute).

Throttling: Throttle rate, in bytes per second. Multiple byte units such as KB, MB, GB, etc., are also allowed. E.g., 42 MB. Default value of 0 indicates no throttling. When throttling is engaged, excess data will be dropped only if Backpressure behavior is set to Drop events. (Data will be blocked for all other Backpressure behavior settings.)

Environment: If you’re using GitOps, optionally use this field to specify a single Git branch on which to enable this configuration. If empty, the config will be enabled everywhere.

Inspecting Payloads to Troubleshoot Closed Connections

When a downstream receiver closes connections from this Destination (or just stops responding), inspecting the payloads of the resulting failed requests can help you find the cause. For example:

  • Suppose you send an event whose size is larger than the downstream receiver can handle.
  • Suppose you send an event that has a number field, but the value exceeds the highest number that the downstream receiver can handle.

When Log failed requests to disk is enabled, you can inspect the payloads of failed requests. Here is how:

  1. In the Destination UI, navigate to the Logs tab.
  2. Find a log entry with a connection error message.
  3. Expand the log entry.
  4. If the message includes the phrase See payload file for more info, note the path in the file field on the next line.

Now you have the path to the directory where Cribl Stream is storing payloads from failed requests. At the command line, navigate to that directory and inspect any payloads that you think might be relevant.

SSL Configuration for Splunk Cloud – Special Note

To connect to Splunk Cloud, you will need to extract the private and public keys from the Splunk-provided Splunk Cloud Universal Forwarder credentials package. You will also need to reference the CA Certificate located in the same package.

You can reuse many of the settings in this Splunk Cloud package to set up Splunk Cloud Destinations. Use the following steps:

Step 1. Extract the splunkclouduf.spl package on the Cribl Stream instance that you will be connecting to Splunk Cloud. You will have a folder that looks something like this:

100_my-splunk-cloud_splunkcloud
	/default/
 		outputs.conf
		limits.conf
		your-splunk-cloud_server.pem
		your-splunk-cloud_cacert.pem

Step 2. (optional) Test connectivity to Splunk Cloud, using the Root CA certificate:

echo | openssl s_client -CAfile 100_<your-splunk-cloud>_splunkcloud/default/my-splunk-cloud_cacert.pem -connect inputs1.<your-splunk-cloud>.splunkcloud.com:9997 

To test the connection, you can use any of the URLs listed in the [tcpout:splunkcloud] stanza’s outputs.conf section.

You can simplify Steps 3 and 4 below by dragging and dropping (or uploading) the .pem files into Cribl Stream’s New Certificates modal. See SSL Certificate Configuration.

Step 3. Extract the private key from the Splunk Cloud certificate. At the prompt, you will need the sslPassword value from the outputs.conf. Using Elliptic Curve keys:

openssl ec -in 100_<your-splunk-cloud>_splunkcloud/default/<your-splunk-cloud>_server_cert.pem -out private.pem

If you are using RSA keys, instead use:

openssl rsa -in 100_<your-splunk-cloud>_splunkcloud/default/<your-splunk-cloud>_server_cert.pem -out private.pem

Step 4. Extract the public key for the Server Certificate:

openssl x509 -in 100_<your-splunk-cloud>_splunkcloud/default/<your-splunk-cloud>_server_cert.pem -out server.pem

Step 5. In the Splunk Load Balanced Destination’s TLS Settings (Client Side) section, enter the following:

  • CA Certificate Path: Path to <your-splunk-cloud>_cacert.pem.
  • Private Key Path (mutual auth): Path to private.pem (Step 3 above).
  • Certificate Path (mutual auth): Path to server.pem (Step 4 above).

In a distributed deployment, enter this Destination configuration on each Worker Group/Fleet that forwards to Splunk Cloud. Then commit and deploy your changes.

Step 6. In a distributed deployment, enable Worker UI access, and verify that the Certificate files have been distributed to individual workers. If they are not present, copy the Certificate files to the Workers, using exactly the same paths you used at the Group level.

Notes About Forwarding to Splunk

  • Data sent to Splunk is not compressed.

  • The only ack from indexers that Cribl Stream listens for and acts upon is the shutdown signal described in Minimize in‑flight data loss above.

  • If events have a Cribl Stream internal field called __criblMetrics, they’ll be forwarded to Splunk as metric events.

  • If events do not have a _raw field, they’ll be serialized to JSON prior to sending to Splunk.

  • You can copy and paste the Splunk Cloud servers from the [tcpout:splunkcloud] stanza into the Splunk Load Balanced Destination’s General Settings > Destinations section. E.g., from the example stanza below, you would copy only the bolded contents:

    [tcpout:splunkcloud]

    server = inputs1.your-splunk-cloud.splunkcloud.com:9997, inputs2.your-splunk-cloud.splunkcloud.com:9997, inputs3.your-splunk-cloud.splunkcloud.com:9997, inputs4.your-splunk-cloud.splunkcloud.com:9997, inputs5.your-splunk-cloud.splunkcloud.com:9997, inputs6.your-splunk-cloud.splunkcloud.com:9997, inputs7.your-splunk-cloud.splunkcloud.com:9997, inputs8.your-splunk-cloud.splunkcloud.com:9997, inputs9.your-splunk-cloud.splunkcloud.com:9997, inputs10.your-splunk-cloud.splunkcloud.com:9997, inputs11.your-splunk-cloud.splunkcloud.com:9997, inputs12.your-splunk-cloud.splunkcloud.com:9997, inputs13.your-splunk-cloud.splunkcloud.com:9997, inputs14.your-splunk-cloud.splunkcloud.com:9997, inputs15.your-splunk-cloud.splunkcloud.com:9997

    compressed = false

    From limits.conf, copy the [thruput] value, and paste it into the Splunk Load Balanced Destination’s Advanced Settings tab > Throttling setting.

  • If you enable TLS including cert validation, indexer discovery might trigger errors. This is because by default, Cribl will get the indexers’ IPs from their certs, not their fully qualified domain names (FQDNs).

    As a workaround, use server.conf on each indexer, setting register_forwarder_address = <your.idx.fqdn>. Cribl will now get that value, and the certs will match.

  • See Splunk’s documentation on editing fields.conf to ensure the visibility of index-time fields sent to Splunk by Cribl Stream.

Troubleshooting Resources

Cribl University’s Advanced Troubleshooting short courses include Destination Integrations: Splunk LB and Destination Integrations: Splunk Cloud. To follow these direct course links, first log into your Cribl University account. (To create an account, click the Sign up link. You’ll need to click through a short Terms & Conditions presentation, with chill music, before proceeding to courses – but Cribl’s training is always free of charge.) Once logged in, check out other useful Advanced Troubleshooting short courses and Troubleshooting Criblets.