<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How do I stop forwarding the _audit index? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-stop-forwarding-the-audit-index/m-p/191648#M38154</link>
    <description>&lt;P&gt;You are most likely running into an issue with how Splunk deals with its whitelist and blacklist. Below are the default settings which are causing your conflict, pulled from: &lt;EM&gt;etc/system/default/outputs.conf&lt;/EM&gt;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[tcpout]
...
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
forwardedindex.filter.disable = false
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;The rules above dictate: rule #1( forwardedindex.1.blacklist = &lt;EM&gt;.* ) does successfully block all indexes that begin with an "&lt;/EM&gt;"; however, rule #2 ( forwardedindex.2.whitelist = (_audit|_internal|_introspection) ) then tells Splunk to overwrites rule #1 for those particular indexes.&lt;/P&gt;

&lt;P&gt;The easiest way to solve your issue would be to set your custom outputs.conf to one of the two below:&lt;/P&gt;

&lt;P&gt;Rewrite rule #2 to remove _audit:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[tcpout]
forwardedindex.2.whitelist = (_internal|_introspection)
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Add a new rule #3 re-enforcing the blacklist of _audit:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[tcpout]
forwardedindex.3.blacklist = _audit
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Either one of these should work. Cheers!&lt;/P&gt;</description>
    <pubDate>Tue, 29 Sep 2020 06:36:31 GMT</pubDate>
    <dc:creator>matts1234</dc:creator>
    <dc:date>2020-09-29T06:36:31Z</dc:date>
    <item>
      <title>How do I stop forwarding the _audit index?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-stop-forwarding-the-audit-index/m-p/191647#M38153</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;I'm trying to stop forwarding _audit index.&lt;BR /&gt;
I put in my outputs.conf the following lines:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.filter.disable = false
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;It should block all indexes beginning with "_". Am i right ?&lt;BR /&gt;
It doesn’t work because I am still seeing forwarded audit logs:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;Audit:[timestamp=07-06-2015 16:46:14.900, user=splunk-system-user, action=search, info=completed, search_id='SummaryDirector_1436193945.3', total_run_time=0.01, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1436193945, api_et=N/A, api_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name=""][n/a]
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Do you know how to stop it ?&lt;/P&gt;

&lt;P&gt;Thanks for your time,&lt;/P&gt;</description>
      <pubDate>Mon, 06 Jul 2015 15:01:03 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-I-stop-forwarding-the-audit-index/m-p/191647#M38153</guid>
      <dc:creator>jeromep83</dc:creator>
      <dc:date>2015-07-06T15:01:03Z</dc:date>
    </item>
    <item>
      <title>Re: How do I stop forwarding the _audit index?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-stop-forwarding-the-audit-index/m-p/191648#M38154</link>
      <description>&lt;P&gt;You are most likely running into an issue with how Splunk deals with its whitelist and blacklist. Below are the default settings which are causing your conflict, pulled from: &lt;EM&gt;etc/system/default/outputs.conf&lt;/EM&gt;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[tcpout]
...
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
forwardedindex.filter.disable = false
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;The rules above dictate: rule #1( forwardedindex.1.blacklist = &lt;EM&gt;.* ) does successfully block all indexes that begin with an "&lt;/EM&gt;"; however, rule #2 ( forwardedindex.2.whitelist = (_audit|_internal|_introspection) ) then tells Splunk to overwrites rule #1 for those particular indexes.&lt;/P&gt;

&lt;P&gt;The easiest way to solve your issue would be to set your custom outputs.conf to one of the two below:&lt;/P&gt;

&lt;P&gt;Rewrite rule #2 to remove _audit:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[tcpout]
forwardedindex.2.whitelist = (_internal|_introspection)
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Add a new rule #3 re-enforcing the blacklist of _audit:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[tcpout]
forwardedindex.3.blacklist = _audit
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Either one of these should work. Cheers!&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 06:36:31 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-I-stop-forwarding-the-audit-index/m-p/191648#M38154</guid>
      <dc:creator>matts1234</dc:creator>
      <dc:date>2020-09-29T06:36:31Z</dc:date>
    </item>
  </channel>
</rss>

