Edge Delta Splunk Load Balanced Destination

Configure the Edge Delta Splunk Load Balanced destination to automatically discover and distribute data across Splunk indexers for improved throughput and reliability.

5 minute read

Overview

The Splunk Load Balanced destination automatically discovers available indexers from a Splunk cluster manager and distributes data across them. This provides automatic load balancing and improved reliability compared to sending data to a single endpoint.

The node periodically queries the cluster manager to retrieve the current list of active indexers, enabling dynamic adaptation to cluster topology changes without manual configuration updates.

incoming_data_types: cluster_pattern_and_sample, health, heartbeat, log, metric, custom, splunk_payload, signal

Note: This node is currently in beta and is available for Enterprise tier accounts.

This node requires Edge Delta agent version v2.9.0 or higher.

Example Configuration

This configuration connects to a Splunk cluster manager and automatically discovers indexers to load balance data across.

nodes:
  - name: splunk_lb
    type: splunk_lb_output
    endpoint: "https://cluster-manager.example.com:8089"
    token: '{{ SECRET splunk_password }}'
    site: default
    fetch_interval: 5m0s
    validate_cluster_manager_certs: true

See Secrets for information on securely storing credentials.

Required Parameters

name

A descriptive name for the node. This is the name that will appear in pipeline builder and you can reference this node in the YAML using the name. It must be unique across all nodes. It is a YAML list element so it begins with a - and a space followed by the string. It is a required parameter for all nodes.

nodes:
  - name: <node name>
    type: <node type>

type: splunk_lb_output

The type parameter specifies the type of node being configured. It is specified as a string from a closed list of node types. It is a required parameter.

nodes:
  - name: <node name>
    type: <node type>

endpoint

The Splunk cluster manager endpoint URI in the format scheme://host:port. This is the management port of your cluster manager, typically port 8089.

nodes:
  - name: <node name>
    type: splunk_lb_output
    endpoint: "https://cluster-manager.example.com:8089"
    token: <token>

token

Splunk token to authenticate with the cluster manager. Use the {{ SECRET secret_name }} syntax to reference secrets stored securely in Edge Delta. See Secrets for more information.

nodes:
  - name: <node name>
    type: splunk_lb_output
    endpoint: <endpoint>
    token: '{{ SECRET splunk_token }}'

Optional Parameters

site

The clustering site from which indexers should be discovered. Use this to target indexers in a specific site within a multi-site cluster. Default is default.

nodes:
  - name: <node name>
    type: splunk_lb_output
    endpoint: <endpoint>
    token: <token>
    site: site1

fetch_interval

The interval between consecutive indexer list fetches from the cluster manager. The node periodically queries the cluster manager to discover new indexers or detect removed ones. Default is 5m.

nodes:
  - name: <node name>
    type: splunk_lb_output
    endpoint: <endpoint>
    token: <token>
    fetch_interval: 10m

validate_cluster_manager_certs

When enabled, the node validates the cluster manager’s TLS certificate against the system’s certificate authorities during indexer discovery. Disable this option to allow self-signed or untrusted certificates. Default is false.

nodes:
  - name: <node name>
    type: splunk_lb_output
    endpoint: <endpoint>
    token: <token>
    validate_cluster_manager_certs: true

index_expression

OTTL expression to dynamically extract and apply the Splunk index from data attributes instead of using a static index. This allows routing different data to different indexes based on data content.

nodes:
  - name: <node name>
    type: splunk_lb_output
    endpoint: <endpoint>
    token: <token>
    index_expression: attributes["splunk_index"]

keep_overridden_index

When set to true, the attribute used for index override (specified in index_expression) is retained in the data. When false, the attribute is removed after the index is extracted. Default is false.

nodes:
  - name: <node name>
    type: splunk_lb_output
    endpoint: <endpoint>
    token: <token>
    index_expression: attributes["splunk_index"]
    keep_overridden_index: true

parallel_worker_count

Number of parallel workers for sending data to indexers. Increase this value to improve throughput for high-volume data streams. Default is 2.

nodes:
  - name: <node name>
    type: splunk_lb_output
    endpoint: <endpoint>
    token: <token>
    parallel_worker_count: 4

tls

TLS configuration for secure connections to Splunk indexers.

Field	Description	Default
`enabled`	Enable TLS for indexer connections	false
`ignore_certificate_check`	Disable certificate verification (not recommended for production)	false
`ca_file`	Path to CA certificate file	-
`crt_file`	Path to client certificate file	-
`key_file`	Path to client private key file	-
`min_version`	Minimum TLS version (`TLSv1_2`, `TLSv1_3`)	TLSv1_2

nodes:
  - name: <node name>
    type: splunk_lb_output
    endpoint: <endpoint>
    token: <token>
    tls:
      enabled: true
      ca_file: /etc/ssl/certs/splunk-ca.crt

persistent_queue

Configure persistent buffering for reliability when Splunk indexers are temporarily unavailable.

Field	Description
`path`	Directory path for buffer storage
`max_byte_size`	Maximum buffer size (e.g., `1GB`)
`mode`	Buffer mode: `error`, `backpressure`, or `always`
`strict_ordering`	Maintain strict event ordering
`drain_rate_limit`	Maximum items per second to drain from queue

nodes:
  - name: <node name>
    type: splunk_lb_output
    endpoint: <endpoint>
    token: <token>
    persistent_queue:
      path: /var/lib/edgedelta/splunk-buffer
      max_byte_size: 1GB
      mode: error

How It Works

Discovery: The node connects to the Splunk cluster manager and queries for available indexers in the specified site.
Load Balancing: Incoming data is distributed across discovered indexers using a load balancing algorithm.
Refresh: The indexer list is refreshed at the configured fetch_interval to detect topology changes.
Failover: If an indexer becomes unavailable, data is automatically routed to other healthy indexers.

Use Cases

High-Availability Splunk Ingestion

Automatically distribute logs across all available indexers in your Splunk cluster for improved throughput and resilience.

nodes:
  - name: splunk_ha
    type: splunk_lb_output
    endpoint: "https://cluster-manager:8089"
    token: '{{ SECRET splunk_token }}'
    fetch_interval: 5m
    parallel_worker_count: 4
    persistent_queue:
      path: /var/lib/edgedelta/splunk-buffer
      max_byte_size: 2GB
      mode: error

Multi-Site Cluster Targeting

Send data to indexers in a specific site within a multi-site Splunk deployment.

nodes:
  - name: splunk_site1
    type: splunk_lb_output
    endpoint: "https://cluster-manager:8089"
    token: '{{ SECRET splunk_token }}'
    site: site1
    validate_cluster_manager_certs: true

Dynamic Index Routing

Route data to different Splunk indexes based on data attributes.

nodes:
  - name: splunk_dynamic
    type: splunk_lb_output
    endpoint: "https://cluster-manager:8089"
    token: '{{ SECRET splunk_token }}'
    index_expression: attributes["target_index"]
    keep_overridden_index: false