I want to block the specific host/IP from sending logs to indexers for the time being until I would need to enable to again later. Is there a way to block on indexer level and how?
please tell me the full steps so I can implement on live environment
please tell me step by step
Put this on your indexer and restart:
[host::Your\.IP\.Address\.Here] TRANSFORMS-drop_everything = drop_everything [host::hostname.YourDomain.com] TRANSFORMS-drop_everything = drop_everything
[drop_everything] REGEX = . DEST_KEY = queue FORMAT = nullQueue
Routing to the nullqueue is one option, but a bit of a waste of resources as the data is still sent over the network and processed to some degree.
I'd rather suggest using the
acceptFrom setting on the respective input on the indexers, or just bluntly blocking that IP address in the firewall on the indexer (if you have one).
If the source you want to disable is a forwarder, you could also disable the outputs on the forwarder (or just shut down the forwarder altogether).
you can do this by using Props.conf and transforms.conf. the IP required to be filtered can be sent to null queue.
you can use below stanza and modify it as per your requirement based on the log.
TRANSFORMS-FilterEvent = FilterEvent560
REGEX = (?msi)^EventCode=560
DEST_KEY = queue
FORMAT = nullQueue