Getting Data In

Any way to selectively nullQueue data from heavy forwarder?


1) If I have a bad data coming from a heavy forwarder how would I block that data from being indexed? Since the data is cooked when she arrives at the indexer, I presume I wouldn't be able to.

2) Is there a way to selectively route data to nullQueue from this forwarder?

Assume I don't have access to this heavy forwarder.

0 Karma

Ultra Champion

Use the acceptFrom = <network_acl> parameter for inputs.conf on the indexer.
It can also be negated, e.g.;

acceptFrom = !

Which will simply block all connections from Works for [splunktcp-ssl] as well. May require a restart, but try to hit the debug/refresh url first.


EDIT: typo




Didn't think of that one! Thanks.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...