Looks good to me. So this head index server you're referring to, is it your Splunk indexer OR a server which is feeding data to your indexer?

It's my Spunk indexer

So when you say it's generating absurd amount of indexed data, from where that data is coming from? Is being monitored/generated on your indexer server itself? What sourcetype(s) does that unwanted data of your have?

I thought it must be data from the indexer itself? We're on a trial and hit 100GB today I'm just trying to sort this by the largest volume events that I don't care about and trim this usage into something useful

I would say you find out which sourcetype or sourcetypes are eating most of your license and then use your nullQueue routing for them. Try running this

index=_internal sourcetype=splunkd component=LicenseUsage type=Usage | stats sum(b) as usage by st | sort 5 -usage | eval usage=round(usage/1024/1024/1024,2)

This will give top 5 sourcetypes based on license usage for selected time range. From this list whatever sourcetypes that you don't want data to be ingested, you can either turn off the monitoring for it (it must be in inputs.conf somewhere) or apply TRANSFORMS for those sourcetypes.

applied on indexer (that's all there is). service was restarted

Does the <host_name> you put in props.conf matches correctly with host field in the event? Is the head index server a server with forwarder installed on it? What's your environment looks like (topology wise)?

is just a placeholder for the actual hostname that i put in the conf file. We have 1 splunk instance that we are feeding everything to and DCN node for the vmware stuff. So topology wise couldn't be much simpler.