Hi,
I'm trying to stop forwarding _audit index.
I put in my outputs.conf the following lines:
[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.filter.disable = false
It should block all indexes beginning with "_". Am i right ?
It doesn’t work because I am still seeing forwarded audit logs:
Audit:[timestamp=07-06-2015 16:46:14.900, user=splunk-system-user, action=search, info=completed, search_id='SummaryDirector_1436193945.3', total_run_time=0.01, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1436193945, api_et=N/A, api_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name=""][n/a]
Do you know how to stop it ?
Thanks for your time,
... View more