It's not creating a _raw field. However, whenever you send an event that does not have a _raw field to Splunk, Cribl will automatically take all the fields of that event, convert them into a JSON and write that to _raw

Leader Node logs would need a collection agent of some sort. I'd recommend Edge Worker Node logs are handled by the Internal sources (Data -> Sources) and are delivered in JSON. YOu can route them to Splunk via S2S or HEC, but I'd recommend using Serialize to push all the bare JSON fields into a _raw object

You can easily enable the cribl internal logs src and route to splunk destination. As noted - to get logs from the cribl leader in distributed deployment you will need another agent such as cribl edge or a splunk UF. If your enabling and routing the cribl internal metrics to splunk be sure to setup a splunk metric index type.

Thank you everyone for quick response. I could see data in json after forwarding to splunk through splunk hec dest.

regarding leader node, my deployment is in k8s, so is there any quick ways instead of baking edge on leader node's k8s deployment?