i have blocked a host in such way that all the events from that host will be redirected to Null Queue by the indexers. But indexers have to do some work to redirect. So, can i please know is there any other way to block that host without redirecting the events to null queue by indexer?
You have many options if you are blocking literally everything (which is what you said):
o If you are using a Splunk Deployment Server (you definitely should be), blacklist that host inside all serverclasses.
o Stop (or better yet, uninstall) Splunk on the forwarder.
o Use an OS-level feature (you did not say what host OS is on your Indexers) to block the host (e.g. firewalld, null-route, etc.)
If you are only blocking some things, then the only other way is to send the stuff to an intermediate facility and manage the data there. Almost always this is done with a Heavy Forwarder running Syslog.
How is the monitoring done for that host, inputs.conf deployed on that host? If yes then you can just get that inputs.conf removed from that host.
i want to block all the events from that host but not increasing indexerperformance.
Yes, if you remove all the inputs.conf from the forwarders, it will not be monitoring and sending data to your indexers, so zero impact on indexers. Are you using deployment server to maintain your data inputs on forwarder OR you create inputs.conf directly on forwarders?