Hi richgalloway,
thank you for your comment, i will check props.conf when i am back to office on monday.
there are 2 heavy forwaders.
The IBM Q Radar is hosted in the IBM managed SaaS cloud
All the logs collected by Splunk from Various log sources forwarded to QRadar
Splunk configured to send all logs in the raw data(_raw) format to the data gateway of qradar.
The data transmission will be via the output from a query run every minute. This query output all new data received in that time period.
and a A load balancer f5 deployed to set up this configuration.
... View more