Getting Data In

How do I stop forwarding the _audit index?

jeromep83
Engager

Hi,

I'm trying to stop forwarding _audit index.
I put in my outputs.conf the following lines:

[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.filter.disable = false

It should block all indexes beginning with "_". Am i right ?
It doesn’t work because I am still seeing forwarded audit logs:

Audit:[timestamp=07-06-2015 16:46:14.900, user=splunk-system-user, action=search, info=completed, search_id='SummaryDirector_1436193945.3', total_run_time=0.01, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1436193945, api_et=N/A, api_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name=""][n/a]

Do you know how to stop it ?

Thanks for your time,

0 Karma
1 Solution

matts1234
Engager

You are most likely running into an issue with how Splunk deals with its whitelist and blacklist. Below are the default settings which are causing your conflict, pulled from: etc/system/default/outputs.conf

[tcpout]
...
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
forwardedindex.filter.disable = false

The rules above dictate: rule #1( forwardedindex.1.blacklist = .* ) does successfully block all indexes that begin with an ""; however, rule #2 ( forwardedindex.2.whitelist = (_audit|_internal|_introspection) ) then tells Splunk to overwrites rule #1 for those particular indexes.

The easiest way to solve your issue would be to set your custom outputs.conf to one of the two below:

Rewrite rule #2 to remove _audit:

[tcpout]
forwardedindex.2.whitelist = (_internal|_introspection)

Add a new rule #3 re-enforcing the blacklist of _audit:

[tcpout]
forwardedindex.3.blacklist = _audit

Either one of these should work. Cheers!

View solution in original post

0 Karma

matts1234
Engager

You are most likely running into an issue with how Splunk deals with its whitelist and blacklist. Below are the default settings which are causing your conflict, pulled from: etc/system/default/outputs.conf

[tcpout]
...
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
forwardedindex.filter.disable = false

The rules above dictate: rule #1( forwardedindex.1.blacklist = .* ) does successfully block all indexes that begin with an ""; however, rule #2 ( forwardedindex.2.whitelist = (_audit|_internal|_introspection) ) then tells Splunk to overwrites rule #1 for those particular indexes.

The easiest way to solve your issue would be to set your custom outputs.conf to one of the two below:

Rewrite rule #2 to remove _audit:

[tcpout]
forwardedindex.2.whitelist = (_internal|_introspection)

Add a new rule #3 re-enforcing the blacklist of _audit:

[tcpout]
forwardedindex.3.blacklist = _audit

Either one of these should work. Cheers!

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...