mstopa-splunk

@jenworthington ready for the next iteration

@jenworthington thank you it all looks great, please see my comments

@jenworthington something went wrong and your changes to `docs/gettingstarted/getting-started-splunk-setup.md` from the last pass were not commited. I opened all previous comments again, please go through them and commit the final...

@jenworthington ready for the final pass

Hi @Stjubit right, interesting issue :) Please send the pcap to [email protected] or through Splunk support

sure, those work fine too. Ok let me take a look, this may take some time because it's not an easy case

hi @olivierpas if that's your custom parser and the problems is directly with the syslog-ng DSL we can help on the best effort basis. Please provide the minimal reproducible example

@olivierpas I wondered if there was a way to recreate this in my lab but let's start on your side. So `count(_raw)` != `sum(repetition)`. But both correctly dropped to ~30%...

take a look what I can be missing here: 1. I tried to make a minimal reproducible example: ```conf block parser app-dest-test-grouping-by() { channel { rewrite { r_set_splunk_dest_default(sourcetype("test:grouping-by")); set("t_kv_values", value(".splunk.sc4s_template"));...

``` So your suggestion is that syslog-ng never release the aggregated log because the timeout is to high ? ``` Exactly. When you use my conf and script, but never...