Getting Data In

Any way to selectively nullQueue data from heavy forwarder?


1) If I have a bad data coming from a heavy forwarder how would I block that data from being indexed? Since the data is cooked when she arrives at the indexer, I presume I wouldn't be able to.

2) Is there a way to selectively route data to nullQueue from this forwarder?

Assume I don't have access to this heavy forwarder.

0 Karma

Ultra Champion

Use the acceptFrom = <network_acl> parameter for inputs.conf on the indexer.
It can also be negated, e.g.;

acceptFrom = !

Which will simply block all connections from Works for [splunktcp-ssl] as well. May require a restart, but try to hit the debug/refresh url first.


EDIT: typo




Didn't think of that one! Thanks.

0 Karma