In Splunk Connect for Syslog (SC4S), SC4S_DEST_GLOBAL_ALTERNATES
has been deprecated since version 2. Instead, enable SC4S_ARCHIVE_GLOBAL
which stores a copy of events locally, not only for archiving (if that’s what you intend) but also useful for troubleshooting dropped events.
If compliance_meta_by_source.conf
is not working, you may have to create a custom post-filter in “/opt/sc4s/local/config/filters/“ instead.