1) If I have a bad data coming from a heavy forwarder how would I block that data from being indexed? Since the data is cooked when she arrives at the indexer, I presume I wouldn't be able to.
2) Is there a way to selectively route data to nullQueue from this forwarder?
Assume I don't have access to this heavy forwarder.
Use the acceptFrom = <network_acl> parameter for inputs.conf on the indexer.
It can also be negated, e.g.;
acceptFrom = <network_acl>
acceptFrom = !10.12.13.14
Which will simply block all connections from 220.127.116.11. Works for [splunktcp-ssl] as well. May require a restart, but try to hit the debug/refresh url first.
Didn't think of that one! Thanks.