Hi, I'm trying to stop forwarding _audit index. I put in my outputs.conf the following lines: [tcpout] forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.filter.disable = false It should block all indexes beginning with "_". Am i right ? It doesn’t work because I am still seeing forwarded audit logs: Audit:[timestamp=07-06-2015 16:46:14.900, user=splunk-system-user, action=search, info=completed, search_id='SummaryDirector_1436193945.3', total_run_time=0.01, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1436193945, api_et=N/A, api_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name=""][n/a] Do you know how to stop it ? Thanks for your time, ... View more

Hello, I use a Splunk heavy forwarder and I would like to send inputs to a remote a server. I have two channels on port 5000 and 5001. When I close the port 5001 for example on my remote server, splunk blocks all queues and stops forwarding data to the port 5000. Is it normal ? Is it possible to spool logs on a persistentqueue for the port 5001 and continue to forward logs for the port 5000 without blocking queues on splunk ? I don't need to index these logs... In my case I use splunk like a syslog-ng server. inputs.conf: [default] host = server1 [tcp://5000] sourcetype=test1 _TCP_ROUTING=test1 persistentQueueSize = 500 MB queueSize = 10 KB [tcp://5001] sourcetype=test2 _TCP_ROUTING=test2 persistentQueueSize = 500 MB queueSize = 10 KB outputs.conf: [tcpout] defaultGroup = test1, test2 sendCookedData = false indexAndForward = false useACK = true [tcpout:test1] server = 192.168.0.36:5000 [tcpout:test2] server = 192.168.0.36:5001 metrics.log: 07-05-2015 11:33:22.851 +0200 INFO Metrics - group=queue, name=indexqueue, blocked=true, max_size_kb=500, current_size_kb=499, current_size=2327, largest_size=2327, smallest_size=2327 Thanks for your help, ... View more