Split forwarding - locally indexing Splunk internal audits; forwarding system operating logs

I should probably know the answer to this, but it eludes me.

The search head of my deployment also acts as the enterprise licence server. I want to forward all the operating system logs to be indexed on one of the main indexers along with all our other management host system logs, but I want the internal audit files to remain indexed locally. If I simply enable forwarding of all logs to the indexer the internal audit detail (used for Splunk licence usage/performance reports) disappears, even if the appropriate index is created and enabled on the indexer, and besides I prefer to have the audit detail exactly where it always has been. Aggregate outputs.conf is below:

splunk@searchhead[pts/0 2013-08-07 12:31:54]:~$ splunk cmd btool outputs list --debug
system     [tcpout]
system     autoLB = true
system     defaultGroup =
system     disabled = false
system     forwardedindex.0.whitelist = .*
system     forwardedindex.1.blacklist = _.*
system     forwardedindex.2.whitelist = _audit
system     forwardedindex.3.blacklist = summary_.*
system     forwardedindex.4.blacklist = linux_.*
system     forwardedindex.filter.disable = false
system     indexAndForward = 0
system     maxQueueSize = 500KB
system     [tcpout:indexer.domain_9997]
system     disabled = false
system     forwardedindex.0.blacklist = .*
system     forwardedindex.0.whitelist =
system     forwardedindex.1.blacklist =
system     forwardedindex.1.whitelist = linux_.*
system     forwardedindex.2.whitelist =
system     forwardedindex.3.blacklist =
system     forwardedindex.4.blacklist =
system     server = indexer.domain:9997

This has now been changed to

splunk@searchhead[pts/0 2013-08-07 16:49:02]:~$ /opt/splunk/bin/splunk btool outputs list --debug
system     [tcpout]
system     autoLB = true
system     defaultGroup =
system     disabled = true
system     forwardedindex.0.whitelist = .*
system     forwardedindex.1.blacklist = _.*
system     forwardedindex.2.whitelist = _audit
system     forwardedindex.3.blacklist = summary_.*
system     forwardedindex.4.blacklist = linux_.*
system     forwardedindex.filter.disable = false
system     indexAndForward = 0
system     maxQueueSize = 500KB
system     [tcpout:indexer.domain_9997]
system     disabled = false
system     forwardedindex.0.whitelist = linux_.*
system     forwardedindex.1.blacklist = .*
system     server = indexer.domain:9997

Split forwarding - locally indexing Splunk internal audits; forwarding system operating logs

Trending Articles

Scuffham Amps - S-GEAR 2.6.0 VST, AAX, STANDALONE x86 x64 (R2R NO iLok2, +NO...

Practice Sheet of Right form of verbs for HSC Students

VHSE First (1st) Allotment 2025 - vhscap.kerala.gov.in

UNIVERSE LEAGUE – UNIVERSE LEAGUE – WAR (We Are Ready) – EP [iTunes Plus M4A]

City Hunter Teledrama – Episode 18 – 07th May 2016

Comment on Proposed Criteria for Identifying Predatory Conferences by Luke...

Bureau of Internal Revenue: Regional Offices (Directory)

Kendrick Lamar – Not Like Us (2024) [24Bit-88.2kHz] [PMEDIA] ⭐️

Inception 2010 Hindi Dual Audio 650MB BRRip 720p ESubs HEVC

East Hull MD admits sexual assaults after another victim comes forward

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

R. v. Sargeant, 2023 ONSC 6406 (CanLII)

Rajasthan Board 10th Result 2016 Roll No wise & Name Wise

Who’s been sentenced at Northampton Magistrates’ Court

मतलबी दोस्त स्टेट्स | Matlabi Dost Status in Hindi – Selfish Friends Status

Family cries out as traditional ruler allegedly abducts brother, extorts N2.5m

Long-Running Conflict In Springfield (MA) Gangland Sphere Has Manzi Family &...

Wondershare Filmora X v10.1.20.16 x64

Man arrested after fracas in flat

Man charged in ongoing Sexual Assault Investigation Derek Nyilas, 46, Faces...