Getting Data In

Any way to selectively nullQueue data from heavy forwarder?

the_wolverine
Champion

1) If I have a bad data coming from a heavy forwarder how would I block that data from being indexed? Since the data is cooked when she arrives at the indexer, I presume I wouldn't be able to.

2) Is there a way to selectively route data to nullQueue from this forwarder?

Assume I don't have access to this heavy forwarder.

0 Karma

kristian_kolb
Ultra Champion

Use the acceptFrom = <network_acl> parameter for inputs.conf on the indexer.
It can also be negated, e.g.;

[splunktcp]
acceptFrom = !10.12.13.14

Which will simply block all connections from 11.12.13.14. Works for [splunktcp-ssl] as well. May require a restart, but try to hit the debug/refresh url first.

http(s)://yourSplunkServer:8000/en-US/debug/refresh

EDIT: typo

Hth,

K

the_wolverine
Champion

Didn't think of that one! Thanks.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...