We are forwarding data coming from our universal forwarders to an external Syslog server.
Our current Dataflow Architecture
Universal Forwarder -> Regional Heavy Forwarder -> Final Heavy forwarder -> Indexer
the data is received from the universal forwarder and an output sends the data to Regional Heavy Forwarder. There is another output that sends the data to the final Heavy forwarder. Once the data gets to the final heavy forwarder we have outputs that output data to indexer and duplicate stream to external Syslog.
ISSUE
The event count in the external Syslog server from the duplicate stream is almost half than the data that was indexed by Splunk. So from Splunk to our external Syslog server, we are dropping events.
ASK
I would like to know if there is a tstat command or something is Splunk that would give some metrics of how much data is being sent to the external source from a particular outputs.conf.
To send data to external syslog we are using the below solution
props.conf
[sourcetype]
TRANSFORMS-sample = sample_syslog_trend
transforms.conf
[sample_syslog_trend]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = sample_syslog
outputs.conf
[syslog:sample_syslog]
server = hostname/ipaddress:514
sendCookedData = false
