There is a very severe issue with forwarding to a 3rd party syslog from any full Splunk instance (SH, HF, Indexer, etc.). Let' say you want to send data to a 3rd party syslog via TCP and it happens that syslog is unreachable (not receiving data for whatever reason (service down, network down, etc.). After some time all queues start to fill up from output (e.g. output queue for syslog target group is just 97B and you cannot change it) over parsing (parsing, merging, typing, ...) to input queues. Once input queue is full Splunk instance will stop receving data - on indexer you effectively STOP indexing. This is by design. There are some solutions for this - none is great. 1. Send to a 3rd party syslog via UDP - not reliable and for many customer unacceptable. 2. Send requrested content via some other "tool". If you want to send out locally monitored files you can use SyslogNG or Cribl if the target destination is syslog-capable consumer. BTW Cribl is the only non-Splunk solution out on the market that supports native input/output for Splunk proprietary S2S protocol. So you can collect data by UF and send to Cribl for processing and forward further to Splunk, Syslog and many other targets. You cannot solve this puzzle with Splunk only ideally.
... View more