We have a team that are sending far too many wasteful logs to us for a specific sourcetype. It's going to take them a while to tune their logging, and I was wondering if there is a way short of invalidating their token that I could just deny one specific sourcetype from being ingested?
https://docs.splunk.com/Documentation/Splunk/8.2.4/Forwarding/Routeandfilterdatad
Just redirect this sourcetype to nullqueue