Starting in Splunk 4.1 a normal (non lightweight/LWF) forwarder will not forward events from indexes who's names begin with _ (such as _internal), except for _audit. As such, 'Installing app' events, like those cited above, will not get forwarded to your indexer. The source of this behavior are the filters in $SPLUNK_HOME/etc/system/default/outputs.conf (NOTE: Please do not edit files in the /default/ directory).
To override this behavior, add these lines to $SPLUNK_HOME/etc/system/local/outputs.conf:
[tcpout]
forwardedindex.filter.disable = true
... View more