I assume you've done a trace on both ends to make sure that the syslog data is being sent from the originating servers and being received on the splunk instance?? Is there another syslog daemon running on your splunk instance or another application using that port? If so then it's possible the syslogs coming int your machine are being aggregated into the local syslog.. I would suggest doing a netstat to make sure there's no other applications using that. Or changing to a different port above 1024.. ... View more