Having tried to disable monitoring of the metrics and splunkd logs today, it does look as though disabled = 1 doesnt work for these sources on the universal forwarder. There are monitors for these in both the splunk universal forwarder app on the splunk forwarder and in the system default. I put an entries in system local to disable all the them and checked btool after a restart to confirm they are disabled. However internal logs still get forwarded. I didnt try hardcoding into default, cos that is just a pain. I guess another option would be to nullqueue on the indexers. However it is frustrating that this doesnt appear to work in accordance with accepted Splunk rules. ... View more