Several of my forwarders are having issues blacklisting the _internal index. On my forwarder's \etc\system\local folder, I have a outputs.conf file with the following logic
[tcpout]
defaultGroup = default-autolb-group
forwardedindex.3.blacklist = (_internal|_audit)
I use this same logic on my workstations with successful results but however, on this representative machine, even confirming that the blacklist item is being processed by the fowarder (looking at splunkd.log), it still doesn't blacklist the __internal index. I have tried a more aggressive filter (forwardedindex.3.blacklist = _.*) but that doesn't work as well. I'm a bit stumped as to where to check next as to why this is happening and how to correct.
Any help would be appreciated.
Thank you!
... View more