Skip to main content
Question

Splunk Cloud license usage differs between Cribl Splunk LB S2S and Cribl HEC destinations — date_*/timepos fields to blame?

  • July 2, 2026
  • 0 replies
  • 7 views

We've noticed that when sending data to Splunk Cloud that originates from an on-prem Splunk Heavy Forwarder (e.g. syslog and API), the Splunk license cost differs depending on whether we send the data via Splunk LB (S2S) or Splunk HEC destiantions. We think that the date_* and timepos fields are responsible for the increase in license usage. If we strip these fields in a Cribl pipeline before sending to Splunk Cloud, license usage looks fine and in line with direct-to-Splunk ingestions, but the events are then missing these expected fields (whereas with native Splunk components, the fields are present). The raw event size doesn't differ (| eval raw_len=len(_raw)). Have you encountered this before, and if so, how did you solve it?