Thanks.

OTOH the Universal Forwarder does support this, i.e. in outputs.conf:

[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = splunk01:9997,splunk02:9997

And the splunkd will sort-of round robin between the two.

have you looked at the UF as an option instead of the logging driver? What is your motivation for using the driver?

I know that in some scenarios, teams are looking to avoid logging back to the host node (which json driver does), but if that is not a concern for you, I strongly recommend you check out the UF.

I have had much success with the UF as a daemonset (in k8s) or on the docker host while using the default json driver.

Also ensures you get all the features you know and trust from the UF, and I am posting configs here (https://github.com/splunk/docker-itmonitoring) that will help you with multiline log support, indextime field extractions and beyond.

Let me know if you'd like to try the UF out and I can get you set up.

@wsanderstii, correct Splunk Forwarder does support this. Any reason why you cannot install Balancer in Front?

On side note. Just want to share, that I am author of Splunk Logging Driver. I left Splunk year ago and co-founded own company, which is focused on Monitoring Container environments in Splunk. We have our own solution for forwarding Logs and Metrics from Docker to Splunk. We do not have this feature yet, but currently we are working on v3, which will include a lot of features in our applications and collector (Indexer Acknowledgment support, Capacity planning monitoring, Security Monitoring and more). It should not be hard for us to implement balancing on Splunk output as well. If you will be interested to give it a try https://www.outcoldsolutions.com and send me email denis@outcoldsolutions.com