https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-Universal-Forwarder/m-p/281472#M53828 <P>This should be relatively simple, but I cannot find discussion or documentation on it. I suspect that Splunk assumes if a universal forwarder is installed, the data is wanted. The problem is that there is a UF out of my control with a misconfigured index name. I would like to blacklist it until the owner can fix it.</P> <P>How would I blacklist a UF?</P> Mon, 06 Jun 2016 14:01:16 GMT ccsfdave 2016-06-06T14:01:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-Universal-Forwarder/m-p/281472#M53828 <P>This should be relatively simple, but I cannot find discussion or documentation on it. I suspect that Splunk assumes if a universal forwarder is installed, the data is wanted. The problem is that there is a UF out of my control with a misconfigured index name. I would like to blacklist it until the owner can fix it.</P> <P>How would I blacklist a UF?</P> Mon, 06 Jun 2016 14:01:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-Universal-Forwarder/m-p/281472#M53828 ccsfdave 2016-06-06T14:01:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-Universal-Forwarder/m-p/281473#M53829 <P>Do you control the UF from your deployment server? If not you should.</P> <P>Your options are blocking the src_ip at the firewall... (iptables on linux, windows firewall will do the trick too)</P> <P>Asking UF owner to turn off UF.</P> <P>IF you have UF password you can probably disable via REST calls.</P> Mon, 06 Jun 2016 14:48:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-Universal-Forwarder/m-p/281473#M53829 jkat54 2016-06-06T14:48:12Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-Universal-Forwarder/m-p/281474#M53830 <P>Well, I let the question stand because I figured some good discussion or tips may come from it but it was in my DS so I took care of it (i think) from there.</P> Mon, 06 Jun 2016 14:52:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-Universal-Forwarder/m-p/281474#M53830 ccsfdave 2016-06-06T14:52:34Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-Universal-Forwarder/m-p/281475#M53831 <P>I assume splunk doesn't want you to blacklist forwarders because they should be controlled via the DS. And if you had a config file somewhere blacklisting them you might spend days trying to figure out why they arent sending data in, etc.</P> Mon, 06 Jun 2016 15:17:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-Universal-Forwarder/m-p/281475#M53831 jkat54 2016-06-06T15:17:34Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-Universal-Forwarder/m-p/281476#M53832 <P>Yeah, that makes sense</P> Mon, 06 Jun 2016 15:41:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-Universal-Forwarder/m-p/281476#M53832 ccsfdave 2016-06-06T15:41:10Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-Universal-Forwarder/m-p/281477#M53833 <P>Like this:</P> <P>1: In props.conf, set the TRANSFORMS-null attribute:</P> <PRE><CODE>[host::BadUniversalForwarderHostIdentifierHere] TRANSFORMS-null = TrashEverything </CODE></PRE> <P>2: Create a corresponding stanza in transforms.conf. Set <CODE>DEST_KEY</CODE> to <CODE>queue</CODE> and <CODE>FORMAT</CODE>to <CODE>nullQueue</CODE>:</P> <PRE><CODE>[TrashEverything] REGEX = . DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>3: Deploy to all Indexers and restart all Splunk instances there.</P> Mon, 06 Jun 2016 15:44:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-Universal-Forwarder/m-p/281477#M53833 woodcock 2016-06-06T15:44:45Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-Universal-Forwarder/m-p/281478#M53834 <P>Yeah this is great option if you can restart indexers. The "blacklisting" word put me in a different direction, but nullQueueing is in effect the same. Thanks woodcock!</P> Mon, 06 Jun 2016 15:47:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-Universal-Forwarder/m-p/281478#M53834 jkat54 2016-06-06T15:47:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-Universal-Forwarder/m-p/281479#M53835 <P>Yeah, I have full control of the central Splunk Infrastructure: SH, Indexers, HF, DS. So, Let me accept this and will update the answer if I need to in the future.</P> Mon, 06 Jun 2016 16:00:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-Universal-Forwarder/m-p/281479#M53835 ccsfdave 2016-06-06T16:00:34Z