Join the Conversation
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- How to Blacklist Hosts at the Indexer
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to Blacklist Hosts at the Indexer
Let's say, I have 5 forwarders. 4 of them are allowed to forward events to the indexer but one of them is not. How can I Blacklist this host at the indexer not at the forwarder or network (eg., iptables)? In this way, no log event should be index from the host that is not allowed to...
Thanks,
Lp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess I am confused. if the forwarder is never allowed to send events to an indexer why even leave it installed. I would just remove it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something like this might work then :
props.conf
[Host::myhost]
TRANSFORM-myhost=rejectHost
transforms.conf
[rejectHost]
REGEX = .*
DEST=queue
FORMAT=nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That would be a whitelist not a blacklist. Am I not sure that can be done in this manner. I would urge you to look in to using deployment server to modify the outputs.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What about if you do not know the name of the host that you want to blacklist but you know the hosts that are allowed.
Thanks,
Lp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This approach cannot be done. We do not have configuration control of the forwarders.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If it were me I would approach this from a different direction. Why even send the data over the wire to the indexer only to be dumped to the nullQueue ? You could use the deployment server to send an app to the forwarder with an an empty outputs.conf or one that didn't have the indexer/s listed. This way at a later time all you have to do is remove that host from the corresponding severClass to revert the changes and allow it to communicate with the indexer.
Splunk Search APIを使えば調査過程が残せます
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
