Forwarding from the event collectors directly to Unomaly can be hugely beneficial performance-wise since the log data does not need to be written to disk on the Splunk indexers before Unomaly can analyze it.
This setup will forward logs from the event collector(s) in syslog format to Unomaly. The following document describes additional details around forwarding to a third party service from Splunk https://docs.splunk.com/Documentation/Splunk/7.2.4/Forwarding/Forwarddatatothird-partysystemsd.
Edit outputs.conf and add
defaultGroup = syslogGroup
server = [unomaly_host]:5514