OK, I have found the issue. A custom-made app (implemented long before I took control of the Splunk Instance) is setting up the environment to enable the forwarding of local instance data and metrics to a SOC layer. That worked just fine before the latest upgrades (from 6.5 to 7.2 to 8.1). When I disable the forwarding, the audit data is injected back in the local _audit index, and it breaks again as soon as I enable the forwarding. Now that forwarding is necessary, it can't be disabled, but now I'm trying to figure out how to save a copy of the audit data without impacting the rest of the saved searches and forwarded data. I know I could select the option to make a local copy of the forwarded data. Still, I don't know what the consequences could be since it has been working for a while without the option "store a local copy of forwarded events" enabled. Any suggestions?
... View more