You are most likely running into an issue with how Splunk deals with its whitelist and blacklist. Below are the default settings which are causing your conflict, pulled from: etc/system/default/outputs.conf [tcpout] ... forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_internal|_introspection) forwardedindex.filter.disable = false The rules above dictate: rule #1( forwardedindex.1.blacklist = .* ) does successfully block all indexes that begin with an ""; however, rule #2 ( forwardedindex.2.whitelist = (_audit|_internal|_introspection) ) then tells Splunk to overwrites rule #1 for those particular indexes. The easiest way to solve your issue would be to set your custom outputs.conf to one of the two below: Rewrite rule #2 to remove _audit: [tcpout] forwardedindex.2.whitelist = (_internal|_introspection) Add a new rule #3 re-enforcing the blacklist of _audit: [tcpout] forwardedindex.3.blacklist = _audit Either one of these should work. Cheers! ... View more