Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Any way to selectively nullQueue data from heavy forwarder?

the_wolverine
Champion
‎04-10-2014 04:16 PM

1) If I have a bad data coming from a heavy forwarder how would I block that data from being indexed? Since the data is cooked when she arrives at the indexer, I presume I wouldn't be able to.

2) Is there a way to selectively route data to nullQueue from this forwarder?

Assume I don't have access to this heavy forwarder.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-10-2014 06:09 PM

Use the acceptFrom = <network_acl> parameter for inputs.conf on the indexer.
It can also be negated, e.g.;

[splunktcp]
acceptFrom = !10.12.13.14

Which will simply block all connections from 11.12.13.14. Works for [splunktcp-ssl] as well. May require a restart, but try to hit the debug/refresh url first.

http(s)://yourSplunkServer:8000/en-US/debug/refresh

EDIT: typo

Hth,

K

Reply

the_wolverine
Champion
‎04-14-2014 02:21 PM

Didn't think of that one! Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...