Hi OMohi,
Yes, you can filter out un-wanted events by using this guide http://docs.splunk.com/Documentation/Splunk/6.3.0/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues
Here is an example (un-tested) of props.conf and transforms.conf needed on the indexer:
props.conf
[source::tcp:514]
TRANSFORMS-send_to_nullQueue = setnull,setparsing
transforms.conf
[setnull]
REGEX = ip to match the un-wanted host
SOURCE_KEY = MetaData:Host
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue
Hope this helps to get you started and don't forget it will only drop new events from the IP and will only work after a Splunk restart.
Just my 2 cents: best thing to do here: stop the source from sending 😉
cheers, MuS
... View more