1) If I have a bad data coming from a heavy forwarder how would I block that data from being indexed? Since the data is cooked when she arrives at the indexer, I presume I wouldn't be able to.
2) Is there a way to selectively route data to nullQueue from this forwarder?
Assume I don't have access to this heavy forwarder.
Use the acceptFrom = <network_acl>
parameter for inputs.conf on the indexer.
It can also be negated, e.g.;
[splunktcp]
acceptFrom = !10.12.13.14
Which will simply block all connections from 11.12.13.14. Works for [splunktcp-ssl]
as well. May require a restart, but try to hit the debug/refresh url first.
http(s)://yourSplunkServer:8000/en-US/debug/refresh
EDIT: typo
Hth,
K
Didn't think of that one! Thanks.