We've noticed that when sending data to Splunk Cloud that originates from an on-prem Splunk Heavy Forwarder (e.g. syslog and API), the Splunk license cost differs depending on whether we send the data via Splunk LB (S2S) or Splunk HEC destiantions. We think that the date_* and timepos fields are responsible for the increase in license usage. If we strip these fields in a Cribl pipeline before sending to Splunk Cloud, license usage looks fine and in line with direct-to-Splunk ingestions, but the events are then missing these expected fields (whereas with native Splunk components, the fields are present). The raw event size doesn't differ (| eval raw_len=len(_raw)). Have you encountered this before, and if so, how did you solve it?
Question
Splunk Cloud license usage differs between Cribl Splunk LB S2S and Cribl HEC destinations — date_*/timepos fields to blame?
Sign up
Already have an account? Login
Login to the community
No account yet? Create an account
Using your Cribl Curious or University Account
User Login Employee loginEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.
