Splunk syslog is receiving only small number from DLP log forwarding

Splunk syslog server only received less than half of DLP logs while DLP portal had too many incidents. 

• A Splunk (Onprem or hosted on cloud service like AWS) syslog server
• Splunk syslog is configured on DLP logforwarding within DLP portal

One or more issues may lead to this issue

• Rate limiting on Splunk server may be in place which could throttle the incoming traffic
• If syslog server hosted on cloud services like AWS or others, the server could be sitting behind a load balancer, or routers or switches or firewalls. Any rate limiting or packet drops could lead to this issue
• If syslog server situated as Onprem, there may be load balancers or firewalls or any network elements which could throttle the traffic by dripping or rate limits 

Important thing is to identify the issue first to see if its customer side configuration before engaging DLP backend team:

• Investigate customer side infrastructure and network elements between DLP log forwarding and syslog server. If network elements including syslog server have rate limit set or dropping traffic, best to start from there. 
• Check if syslog server is dropping packets
• If the issue persists even after fixing customer side network infrastructure, best to review DLP backend if all logs are forwarded via Jira ticket