Splunk does not recommend a load balancer between a forwarder and receiver. How do you guys get data into Cribl to transform before hitting Splunk indexers?
Question
How do you guys get data into Cribl to transform before hitting Splunk indexers?
We support S2S and the SplunkLB output does its own load balancing. Does that answer your question ?
I will be configuring a Splunk Universal Forwarder to output to the Load Balancer that sits in front of Cribl, which will then feed into Splunk Indexers.
You should still not put a load balancer between your UF and Cribl. It still speaks S2S and that can still result in broken data
Give your UF a DNS target that resolves to all your Cribl workers, and the UF will auto load balance
That is, unless you use HTTPOUT on the UFs
Why?
we have this working, we just give cribl the Cluster manager and splunk handled the rest. You can check this in the status page the Destination. It would have listed out all your splunk indexers
It's actually less of a problem with Cribl in the middle because we do event breaking and spread the events properly at the index tier.
Yeah, Cribl distributes very well. Putting a LB between UF and Cribl can cause partial events, or stuck UFs. Splunk has loadbalancing built-in, use it 
Stuck UFs, no big deal, doesn't really matter what worker it hits other than in theory you could end up with a very busy worker process. Partial events, also shouldn't really happen, what have you seen and why?
Sign up
Already have an account? Login
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.