I’ve done this integration a few times. There’s no official Splunk add-on for Forcepoint DLP, but the standard method is to use the syslog output from Forcepoint to send logs to Splunk.   You’ll want to configure Forcepoint to forward DLP events to a syslog server, then set up a Splunk data input (TCP/UDP) to ingest them. I usually use a dedicated heavy forwarder to handle the syslog feed, then parse it with custom props/transforms to extract fields properly. Works way better than trying to use API pulls, which can get messy with volume. ... View more

This is such a common problem with high-volume logging — we’ve dealt with the exact same thing!   What’s worked for us is using two separate inputs.conf stanzas with different queue and pipeline settings. We assign the critical logs to a pipeline with higher priority and larger queueSize, while the high-volume non-critical logs go to a separate pipeline with lower concurrency and a smaller queue. It keeps the critical stuff moving in near-real-time without starving the system.   Also, using maxKBps on the high-volume inputs to cap their throughput really helps prevent them from overwhelming the forwarder. ... View more