I'm trying to index a few Splunk internal logs like splunkd, metrics, web*, audit, etc under /var/log/splunk to another index, however, all the logs are populating in the other index except audit.log
I have changed the audit log location in log.cfg (log-local.cfg) to other directory and then able to index it.
View solution in original post
Not sure, but, Just a thought, the audit, splunkd logs may be already indexed thru splunk's own internal indexes, isn't ?!?!
Yes, however I'd like to send many UF internal logs to other existing index rather than Splunk own internal index to develop a customized app.