You could try something like this | appendpipe [| stats avg(*) as average_*] | addcoltotals | foreach average_* [| eval <<MATCHSEG1>>=if(isnull(<<MATCHSEG1>>),<<FIELD>>,<<MATCHSEG1>>)] | fields - average_*

Apart from all that @richgalloway already mentioned, this document shows results of testing on some particular reference hardware. It's by no means a guarantee that an input will work with this performance. Also remember that windows eventlog inputs get the logs by calling the system using winapi whereas file input just reads the file straight from the disk (most probably using memory-mapped files since it's most effective method). And last but definitely not least - as I already pointed out - UF typically doesn't break data into events!

That document is for a specific source where the event size is well-defined.  The information there cannot be generalized because the size of an "event" is unknown.  I've seen event sizes range from <100 to >100,000 bytes so it is very difficult to produce an EPS number without knowing more about the data you wish to ingest. It's possible the documentation for other TAs provides the information you seek.  Have you looked at the TAs for your data?

Thank you @PickleRick for you concern, 1. I have tried to embed report on my website as per following this document Embed scheduled reports. But I was not able to embed Splunk data report on my website, it was showing “Report not available” and in console showing 401 Unauthorized status code, Please check this image and reply. 2. I will follow this app well  Embedded Dashboards For Splunk (EDFS) 3.  Sure, i will try to use backend (server-side code) service to get Splunk data securely using the REST API.  Please let me explore more about REST API for backend service and where i have to request for REST API.

Unfortunately, all the fields required are present in the raw event. The tags were also produced correctly.  In this (quite old) thread https://community.splunk.com/t5/Splunk-Search/Define-user-field-in-Security-Essentials/m-p/312738 I've found an issue somehow connected to mine, as mine problems are also connected to the user and src_user field extraction and my AD server is also in a non-english language.   Has anyone found the underlying issue? 

It's interesting what you write here, syslog-ng was the first one to support TCP based logging, so it definitely supports that. Dropping of UDP packets is a known issue, but there are a lot of ways to improve that. Here are a couple of blog posts: https://axoflow.com/syslog-over-udp-kernel-syslog-ng-tuning-avoid-losing-messages/ https://axoflow.com/detect-tcp-udp-message-drops-syslog-telemetry-pipelines/ Kafka is just a message bus, you will need a component to actually receive the messages and then hand them over to kafka. of course syslog-ng can do that: https://axoflow.com/docs/axosyslog-core/chapter-destinations/configuring-destinations-kafka-c/  

The whole idea is tricky. If you want to use an embedded report - that's relatively easy and safe - you can embed _scheduled_ report so they are generated using predefined configuration and you can embed the resulting report into your external webpage. With stuff more "dynamic" it's way more tricky because it involves a whole lot of making sure you don't accidentally create a security vulnerability for your environment and don't let the user do much more with your Splunk installation than you initially intended. There is an app https://splunkbase.splunk.com/app/4377 which is supposed to do that or at least help with that but I haven't used it and I don't know if/what limitations it has. Of course another thing would be to use REST api in your app to call Splunk servers and generate proper output which you could then present to your user but due to the security issues I mentioned before, it's something you'd rather do in your backend and only present the user with the results embedded in your web app by said backend than let the browser call the Splunk search-heads directly.

@pranay03 Are you able to resolve this issue. I am as well facing same issue. In the console log it shows it started watching, however i could not see the logs in Web portal. Please let me know your thoughts and suggestions.