On This Page

Home / Stream/ Integrations/ Destinations/ Splunk/Splunk Load Balanced Destination

Splunk Load Balanced Destination

The Splunk Load Balanced Destination can load-balance the data it streams to multiple Splunk receivers. Downstream Splunk instances receive the data cooked and parsed.

Type: Streaming | TLS Support: Configurable | PQ Support: Yes

Looking for a quick way to switch all of your S2S Destinations to Splunk HEC Destinations? Follow our how-to guide: Switch Cribl Stream Destinations from S2S to Splunk HEC.

Splunk Cloud Platform

To establish secure connections to Splunk Cloud, you’ll need to configure SSL settings using the private and public keys from the Splunk Cloud Universal Forwarder credentials package.

For details on which Destination to use for Splunk Cloud, see Splunk Cloud Platform and BYOL Integrations. The Splunk HEC Destination is recommended for most use cases.

Configure Cribl Stream to Load-Balance to Multiple Splunk Destinations

  1. On the top bar, select Products, and then select Cribl Stream. Under Worker Groups, select a Worker Group. Next, you have two options:

    • To configure via QuickConnect, navigate to Routing > QuickConnect (Stream) or Collect (Edge). Select Add Destination and select the Destination you want from the list, choosing either Select Existing or Add New.
    • To configure via the Routes, select Data > Destinations or More > Destinations (Edge). Select the Destination you want. Next, select Add Destination.

  2. In the New Destination modal, configure the following under General Settings:

    • Output ID: Enter a unique name to identify this Splunk LB Destination definition. If you clone this Destination, Cribl Stream will add -CLONE to the original Output ID.
    • Description: Optionally, enter a description.
    • Indexer discovery: When enabled, Cribl Stream will automatically discover the indexers in an indexer clustering environment. </
      This hides both Exclude current host IPs and the Destinations section, and displays the following fields:
    • Site: Clustering site whose indexers need to be discovered. In the case of a single site cluster, default is the default entry.
    • Cluster Manager URI: Full URI of Splunk cluster manager, in the format: scheme://host:port. (Worker Nodes normally access the cluster manager on port 8089 to get the list of currently online indexers.)
    • Refresh period: Time interval (in seconds) between two consecutive fetches of the indexer list from the cluster manager. Defaults to 300 seconds (five minutes).
    • Validate cluster manager certificates: If toggled on (default), Cribl Stream is configured to reject any cluster manager certificate during indexer discovery that is not authorized by your system’s Certificate Authority (CA). Cribl strongly recommends the default setting unless you must allow untrusted (for example, self-signed) certificates.

  3. Under Authentication tokens, select one of the Authentication method options for authenticating to the cluster manager for indexer discovery:

    • Manual: In the resulting Auth token field, enter the required token.

    • Secret: This option exposes an Auth token (text secret) drop-down, from which you can select a stored secret that references the auth token. A Create link is available to store a new, reusable secret.


      If you use multiple cluster managers, you can add multiple tokens to cycle through them if a connection to the primary cluster manager fails. Select Add token to configure another authentication token.

      Each Worker Process performs its own indexer discovery according to the above settings.


  4. The Destinations section appears only when Indexer discovery is toggled off (default). Here, you specify a known set of Splunk receivers on which to load-balance data. Then you assign a weight to Cribl Stream’s connection to each receiver. The higher the weight assigned to a given connection, the more traffic Cribl Stream will attempt to allocate to that connection. Click Add Destination to specify more receivers on new rows. Each row provides the following fields:

    • Address: Hostname or IP address of the receiver. If you enter a hostname, Cribl Stream tries to resolve it to its IP address or addresses. If a hostname has multiple A records – that is, if multiple receivers are behind it – Cribl Stream will assign the weight you assigned to the host to all of its IP addresses.
    • Port: Port number to send data to.
    • TLS: Whether to inherit TLS configs from group setting, or disable TLS. Defaults to inherit.
    • TLS servername: Servername to use if establishing a TLS connection. If not specified, defaults to the connection host (if not an IP). Otherwise, uses the global TLS settings.
    • Load weight: Set the relative traffic-handling capability for each connection by assigning a weight greater than 0. For details, see [Destinations]{#destinations} below.

  5. Next, you can configure the following Optional Settings:

    • Exclude current host IPs: Enable if you want to exclude all the current host’s IP addresses from the list of resolved hostnames.
    • Backpressure behavior: Select whether to block, drop, or queue events when all receivers in this group are exerting backpressure. (Causes might include a broken or denied connection, or a rate limiter.) Defaults to Block. When toggled to Persistent Queue, adds the Persistent Queue Settings section (left tab) to the modal.
    • Tags: Optionally, add tags that you can use to filter and group Destinations on the Destinations page. These tags aren’t added to processed events. Use a tab or hard return between (arbitrary) tag names.

  6. Optionally, you can adjust the Persistent Queue, TLS, Processing, Timeout, and Advanced settings outlined in the sections below.

  7. Select Save, then Commit & Deploy.

Destinations

  • For best results, the weights for all connections should have the same order of magnitude. For example, if you have three connections, weights of 10, 50, and 40 would work; so would weights of 1, 5, and 4 – but weights like 10, 120, and 9 mix different orders of magnitude and should be avoided.

  • You can add connections and keep them unused except for special circumstances such as testing. Just assign these connections a weight of 0 and Cribl Stream will ignore them. When you want to use such a “parked” connection, assign it a weight greater than 0.

The final column provides an X button to delete any row from the Destinations table.

For details on configuring all load balancing settings, see About Load Balancing.

Enabling Cluster Manager Authentication

To enable token authentication on the Splunk cluster manager, you can find complete instructions in Splunk’s Enable or Disable Token Authentication documentation. This option requires Splunk 7.3.0 or higher, and requires the following capabilites: list_indexer_cluster and list_indexerdiscovery.

For details on creating the token, see Splunk’s Create Authentication Tokens topic – especially its section on how to Configure Token Expiry and “Not Before” Settings.

Be sure to give the token an Expiration setting well in the future, whether you use Relative Time or Absolute Time. Otherwise, the token will inherit Splunk’s default expiration time of +30d (30 days in the future), which will cause indexer discovery to fail.

If you have a failover site configured on Splunk’s cluster manager, Cribl respects this configuration, and forwards the data to the failover site in case of site failure.

Persistent Queue Settings

The Persistent Queue Settings tab displays when the Backpressure behavior option in General settings is set to Persistent Queue. Persistent queue buffers and preserves incoming events when a downstream Destination has an outage or experiences backpressure.

Before enabling persistent queue, learn more about persistent queue behavior and how to optimize it with your system:

On Cribl-managed Cloud Workers (with an Enterprise plan), this tab exposes only the destructive Clear Persistent Queue button (described at the end of this section). A maximum queue size of 1 GB disk space is automatically allocated per PQ‑enabled Destination, per Worker Process. The 1 GB limit is on outbound uncompressed data, and no compression is applied to the queue.

This limit is not configurable. If the queue fills up, Cribl Stream/Edge will block outbound data. To configure the queue size, compression, queue-full fallback behavior, and other options below, use a hybrid Group.

Mode: Use this menu to select when Cribl Stream/Edge engages the persistent queue in response to backpressure events from this Destination. The options are:

ModeDescription
ErrorQueues and stores data on a disk only when the Destination is in an error state.
BackpressureAfter the Destination has been in a backpressure state for a specified amount of time, Cribl Stream/Edge queues and stores data to a disk until the backpressure event resolves.
Always onCribl Stream/Edge immediately queues and stores all data on a disk for all events, even when there is no backpressure.

If a Worker/Edge Node starts with an invalid Mode setting, it automatically switches to Error mode. This might happen if the Worker/Edge Node is running a version that does not support other modes (older than 4.9.0), or if it encounters a nonexistent value in YAML configuration files.

Max file size: The maximum data volume to store in each queue file before closing it. Enter a numeral with units of KB, MB, etc. Defaults to 1 MB.

Max queue size: The maximum amount of disk space that the queue can consume on each Worker Process. When the queue reaches this limit, the Destination stops queueing data and applies the Queue‑full behavior. Defaults to 5 GB. This field accepts positive numbers with units of KB, MB, GB, and so on. You can set it as high as 1 TB, unless you’ve configured a different Worker Process PQ size limit on the Group Settings/Fleet Settings page.

Queue file path: The location for the persistent queue files. Defaults to $CRIBL_HOME/state/queues. Cribl Stream/Edge will append /<worker‑id>/<output‑id> to this value.

Compression: Set the codec to use when compressing the persisted data after closing a file. Defaults to None. Gzip is also available.

Queue-full behavior: Whether to block or drop events when the queue begins to exert backpressure. A queue begins to exert backpressure when the disk is low or at full capacity. This setting has two options:

  • Block: The output will refuse to accept new data until the receiver is ready. The system will return block signals back to the sender.
  • Drop new data: Discard all new events until the backpressure event has resolved and the receiver is ready.

Backpressure duration limit: When Mode is set to Backpressure, this setting controls how long to wait during network slowdowns before activating queues. A shorter duration enhances critical data loss prevention, while a longer duration helps avoid unnecessary queue transitions in environments with frequent, brief network fluctuations. The default value is 30 seconds.

Strict ordering: Toggle on (default) to enable FIFO (first in, first out) event forwarding, ensuring Cribl Stream/Edge sends earlier queued events first when receivers recover. The persistent queue flushes every 10 seconds in this mode. Toggle off to prioritize new events over queued events, configure a custom drain rate for the queue, and display this option:

  • Drain rate limit (EPS): Optionally, set a throttling rate (in events per second) on writing from the queue to receivers. (The default 0 value disables throttling.) Throttling the queue drain rate can boost the throughput of new and active connections by reserving more resources for them. You can further optimize Worker startup connections and CPU load in the Group Settings/Fleet Settings > Worker Processes settings.

Clear Persistent Queue: For Cloud Enterprise only, click this button if you want to delete the files that are currently queued for delivery to this Destination. If you click this button, a confirmation modal appears. Clearing the queue frees up disk space by permanently deleting the queued data, without delivering it to downstream receivers. This button only appears after you define the Output ID.

Use the Clear Persistent Queue button with caution to avoid data loss. See Steps to Safely Disable and Clear Persistent Queues for more information.

TLS Settings (Client Side)

Enabled: Defaults to toggled off. When toggled on:

Validate server certs: Reject any server (indexer) certificate that is not authorized by a CA in the CA certificate path or by another trusted CA (such as the CA for your system). Defaults to toggled on.

Server name (SNI): Server name for the SNI (Server Name Indication) TLS extension. This must be a host name, not an IP address.

Minimum TLS version: Optionally, select the minimum TLS version to use when connecting.

Maximum TLS version: Optionally, select the maximum TLS version to use when connecting.

Certificate name: The name of the predefined certificate.

CA certificate path: Path on client containing CA certificates (in PEM format) to use to verify the server’s cert. Path can reference $ENV_VARS.

Private key path (mutual auth): Path on client containing the private key (in PEM format) to use. Path can reference $ENV_VARS. Use only if mutual auth is required.

Certificate path (mutual auth): Path on client containing certificates in (PEM format) to use. Path can reference $ENV_VARS. Use only if mutual auth is required.

Passphrase: Passphrase to use to decrypt private key. Often the value of the sslPassword or similar parameter in the outputs.conf or server.conf file.

Single PEM File

If you have a single .pem file containing cacert, key, and cert sections, enter this file’s path in all of these fields above: CA certificate path, Private key path (mutual auth), and Certificate path (mutual auth).

Timeout Settings

  • Connection timeout: Amount of time (in milliseconds) to wait for the connection to establish, before retrying. Defaults to 10000 ms.

  • Write timeout: Amount of time (in milliseconds) to wait for a write to complete, before assuming connection is dead. Defaults to 60000 ms.

Processing Settings

Post-Processing

Pipeline: Pipeline or Pack to process data before sending the data out using this output.

System fields: A list of fields to automatically add to events that use this output. By default, includes cribl_pipe (identifying the Cribl Stream Pipeline that processed the event). Supports wildcards. Other options include:

  • cribl_host – Cribl Stream Node that processed the event.
  • cribl_input – Cribl Stream Source that processed the event.
  • cribl_output – Cribl Stream Destination that processed the event.
  • cribl_route – Cribl Stream Route (or QuickConnect) that processed the event.
  • cribl_wp – Cribl Stream Worker Process that processed the event.

Advanced Settings

Output multiple metrics: Toggle on to output multiple-measurement metric data points. (Supported in Splunk 8.0 and above, this format enables sending multiple metrics in a single event, improving the efficiency of your Splunk capacity.)

Minimize in-flight data loss: If toggled on (default), Cribl Stream will check whether the indexer is shutting down, and if so, will stop sending data. This helps minimize data loss during shutdown. (Note that Splunk logs will indicate that the Cribl app has set UseAck to true, even though Cribl does not enable full UseAck behavior.) If toggled off, exposes the following alternative option:

Max failed health checks: Displayed (and set to 1 by default) only if Minimize in‑flight data loss is disabled. This option sends periodic requests to Splunk once per minute, to verify that the Splunk endpoint is still alive and can receive data. Its value governs how many failed requests Cribl Stream will allow before closing this connection.

A low threshold value improves connections’ resilience, but by proliferating connections, this can complicate troubleshooting. Set to 0 to disable health checks entirely – here, if the connection to Splunk is forcibly closed, you risk some data loss.

Max S2S version: The highest version of the Splunk-to-Splunk protocol to expose during handshake. Defaults to v4; v3 is also available.

DNS resolution period (seconds): Re-resolve any hostnames after each interval of this many seconds, and pick up destinations from A records. Defaults to 600 seconds.

Load balance stats period (seconds): How far back in time to keep traffic stats for load balancing purposes. Defaults to 300 seconds (five minutes).

Max connections: Constrains the number of concurrent indexer connections, per Worker Process, to limit memory utilization. If set to a number > 0, then on every DNS resolution period (or indexer discovery), Cribl Stream will randomly select this subset of discovered IPs to connect to. Cribl Stream will rotate IPs in future resolution periods – monitoring weight and historical data, to ensure fair load balancing of events among IPs.

Nested field serialization: Specifies whether and how to serialize nested fields into index-time fields. Select None (the default) or JSON.

Authentication method: Use the buttons to select one of these options:

  • Manual: In the resulting Auth token field, enter the shared secret token to use when establishing a connection to a Splunk indexer.

  • Secret: This option exposes an Auth token (text secret) drop-down, in which you can select a stored secret that references the auth token described above. A Create link is available to store a new, reusable secret.

Log failed requests to disk: Toggle on to make the payload of the most recently failed request available for inspection. See Inspect Payload to Troubleshoot Closed Connections below.

Endpoint health fluctuation time allowance (ms): How long (in milliseconds) each receiver endpoint can report blocked, before this Destination as a whole reports unhealthy, blocking senders. (Grace period for transient fluctuations.) Use 0 to disable the allowance; default is 100 ms; maximum allowed value is 60000 ms (1 minute).

Throttling: Throttle rate, in bytes per second. Multiple byte units such as KB, MB, GB, and so forth, are also allowed – for example, 42 MB. A value of 0 (the default) indicates no throttling. When throttling is engaged, excess data will be dropped only if Backpressure behavior is set to Drop events. (Data will be blocked for all other Backpressure behavior settings.)

  • The throttling rate is applied per Worker Process, per configured endpoint. For example, if you have two Worker Processes, each with two endpoints, and you set the throttling rate to 3 MB, the total potential throughput rate is 12 MB per second: up to 3 MB per second for each of the four endpoints. The Max connections setting is also applied per Worker Process. To continue the example, if you set Max connections to 1, the total potential throughput is 6 MB per second, even though each Worker Process has two configured endpoints.

  • The throttling rate is applied after compression.

Environment: If you’re using GitOps, optionally use this field to specify a single Git branch on which to enable this configuration. If empty, the config will be enabled everywhere.

Inspect Payload to Troubleshoot Closed Connections

When a downstream receiver closes connections from this Destination (or just stops responding), inspecting the payload of the most recently failed request can help you find the cause. For example:

  • Suppose you send an event whose size is larger than the downstream receiver can handle.
  • Suppose you send an event that has a number field, but the value exceeds the highest number that the downstream receiver can handle.

When Log failed requests to disk is enabled, you can inspect the last failed request payload. Here is how:

  1. In the Destination UI, navigate to the Logs tab.
  2. Find a log entry with a connection error message.
  3. Expand the log entry.
  4. If the message includes the phrase See payload file for more info, note the path in the file field on the next line.

Now you have the path to the directory where Cribl Stream is storing the payload from the last failed request.

SSL Configuration for Splunk Cloud

To connect to Splunk Cloud, you will need to extract the private and public keys from the Splunk-provided Splunk Cloud Universal Forwarder credentials package. You will also need to reference the CA Certificate located in the same package.

You can reuse many of the settings in this Splunk Cloud package to set up Splunk Cloud Destinations. Use the following steps:

Step 1. Extract the splunkclouduf.spl package on the Cribl Stream instance that you will be connecting to Splunk Cloud. You will have a folder that looks something like this:

100_my-splunk-cloud_splunkcloud
	/default/
 		outputs.conf
		limits.conf
		your-splunk-cloud_server.pem
		your-splunk-cloud_cacert.pem

Step 2. (optional) Test connectivity to Splunk Cloud, using the Root CA certificate:

echo | openssl s_client -CAfile 100_<your-splunk-cloud>_splunkcloud/default/my-splunk-cloud_cacert.pem -connect inputs1.<your-splunk-cloud>.splunkcloud.com:9997

To test the connection, you can use any of the URLs listed in the [tcpout:splunkcloud] stanza’s outputs.conf section.

You can simplify Steps 3 and 4 below by dragging and dropping (or uploading) the .pem files into Cribl Stream’s New Certificates modal. See Configure TLS for API and UI Access.

Step 3. Extract the private key from the Splunk Cloud certificate. At the prompt, you will need the sslPassword value from the outputs.conf. Using Elliptic Curve keys:

openssl ec -in 100_<your-splunk-cloud>_splunkcloud/default/<your-splunk-cloud>_server_cert.pem -out private.pem

If you are using RSA keys, instead use:

openssl rsa -in 100_<your-splunk-cloud>_splunkcloud/default/<your-splunk-cloud>_server_cert.pem -out private.pem

Step 4. Extract the public key for the Server Certificate:

openssl x509 -in 100_<your-splunk-cloud>_splunkcloud/default/<your-splunk-cloud>_server_cert.pem -out server.pem

Step 5. In the Splunk Load Balanced Destination’s TLS Settings (Client Side) section, enter the following:

  • CA Certificate Path: Path to <your-splunk-cloud>_cacert.pem.
  • Private Key Path (mutual auth): Path to private.pem (Step 3 above).
  • Certificate Path (mutual auth): Path to server.pem (Step 4 above).

In a distributed deployment, enter this Destination configuration on each Worker Group/Fleet that forwards to Splunk Cloud. Then commit and deploy your changes.

Step 6. In a distributed deployment, enable Worker UI access, and verify that the Certificate files have been distributed to individual workers. If they are not present, copy the Certificate files to the Workers, using exactly the same paths you used at the Group level.

Notes About Forwarding to Splunk

  • Data sent to Splunk is not compressed.

  • The only ack from indexers that Cribl Stream listens for and acts upon is the shutdown signal described in Minimize in‑flight data loss above.

  • If events have a Cribl Stream internal field called __criblMetrics, they’ll be forwarded to Splunk as metric events.

  • If events do not have a _raw field, they’ll be serialized to JSON prior to sending to Splunk.

  • You can copy and paste the Splunk Cloud servers from the [tcpout:splunkcloud] stanza into General Settings > Destinations. For example, from the example stanza below, you would copy only the bolded contents:

    [tcpout:splunkcloud]

    server = inputs1.your-splunk-cloud.splunkcloud.com:9997, inputs2.your-splunk-cloud.splunkcloud.com:9997, inputs3.your-splunk-cloud.splunkcloud.com:9997, inputs4.your-splunk-cloud.splunkcloud.com:9997, inputs5.your-splunk-cloud.splunkcloud.com:9997, inputs6.your-splunk-cloud.splunkcloud.com:9997, inputs7.your-splunk-cloud.splunkcloud.com:9997, inputs8.your-splunk-cloud.splunkcloud.com:9997, inputs9.your-splunk-cloud.splunkcloud.com:9997, inputs10.your-splunk-cloud.splunkcloud.com:9997, inputs11.your-splunk-cloud.splunkcloud.com:9997, inputs12.your-splunk-cloud.splunkcloud.com:9997, inputs13.your-splunk-cloud.splunkcloud.com:9997, inputs14.your-splunk-cloud.splunkcloud.com:9997, inputs15.your-splunk-cloud.splunkcloud.com:9997

    compressed = false

  • From limits.conf, copy the [thruput] value, then paste it into Advanced Settings > Throttling.

  • If you enable both (1) indexer discovery and (2) TLS with certificate validation, you see might errors. This happens because the IPs discovered (by default) for the indexers will not match the fully qualified domain names (FQDNs) referenced by the indexer certificates. This causes the TLS handshake to fail.

    • As a workaround, use server.conf on each indexer, setting register_forwarder_address = <your.idx.fqdn>. Cribl Stream will now get that value, and the certificates will match.

  • See Splunk’s documentation on editing fields.conf to ensure the visibility of index-time fields sent to Splunk by Cribl Stream.

Troubleshooting

The Destination’s configuration modal has helpful tabs for troubleshooting:

Live Data: Try capturing live data to see real-time events as they flow through the Destination. On the Live Data tab, click Start Capture to begin viewing real-time data.

Logs: Review and search the logs that provide detailed information about the delivery process, including any errors or warnings that may have occurred.

Test: Ensures that the Destination is correctly set up and reachable. Verify that sample events are sent correctly by clicking Run Test.

You can also view the Monitoring page that provides a comprehensive overview of data volume and rate, helping you identify delivery issues. Analyze the graphs showing events and bytes in/out over time.

Cribl University’s Advanced Troubleshooting short courses include Destination Integrations: Splunk LB and Destination Integrations: Splunk Cloud. To follow these direct course links, first log into your Cribl University account. (To create an account, select the Sign up link. You’ll need to select through a short Terms & Conditions presentation, with chill music, before proceeding to courses – but Cribl’s training is always free of charge.) Once logged in, check out other useful Advanced Troubleshooting short courses and Troubleshooting Criblets.