Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Is there another way to block a host without r...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there another way to block a host without redirecting the events to null queue by indexer?
i have blocked a host in such way that all the events from that host will be redirected to Null Queue by the indexers. But indexers have to do some work to redirect. So, can i please know is there any other way to block that host without redirecting the events to null queue by indexer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have many options if you are blocking literally everything (which is what you said):
o If you are using a Splunk Deployment Server (you definitely should be), blacklist that host inside all serverclasses.
o Stop (or better yet, uninstall) Splunk on the forwarder.
o Use an OS-level feature (you did not say what host OS is on your Indexers) to block the host (e.g. firewalld, null-route, etc.)
If you are only blocking some things, then the only other way is to send the stuff to an intermediate facility and manage the data there. Almost always this is done with a Heavy Forwarder running Syslog.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How is the monitoring done for that host, inputs.conf deployed on that host? If yes then you can just get that inputs.conf removed from that host.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i want to block all the events from that host but not increasing indexerperformance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, if you remove all the inputs.conf from the forwarders, it will not be monitoring and sending data to your indexers, so zero impact on indexers. Are you using deployment server to maintain your data inputs on forwarder OR you create inputs.conf directly on forwarders?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
