In Splunk Connect for Syslog (SC4S), SC4S_DEST_GLOBAL_ALTERNATES has been deprecated since version 2. Instead, enable SC4S_ARCHIVE_GLOBAL which stores a copy of events locally, not only for archiving (if that’s what you intend) but also useful for troubleshooting dropped events.
If compliance_meta_by_source.conf is not working, you may have to create a custom post-filter in “/opt/sc4s/local/config/filters/“ instead.