We are new to SPLUNK and originally we were going to us the UF from SPLUNK but we have now decided to forward from Graylog to SPLUNK using the graylog add-on.
I have this setup (inputs.conf) using TCP listener on port 9997.
When I look in the splunk log I see errors indicating the payload is too large. I have tried everything. Has anyone had an experience with this? these are windows security events.