Late but valid for future queries 🙂 It is possible to forward raw events from the UF by adding the following info to the outputs.conf: sendCookedData = false
... View more
If it's distributed environment and clustering is not implemented, remove _blocksignature index configuration from the indexes.conf file (on Deployment server if exists) then reload config.
... View more
Solved my issue by add the information in the location "$SPLUNK_HOME/etc/apps/search/local/inputs.conf"
This document is also a great resource: http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Useforwardingagentstogetdata
... View more