Unless there is some way to do it with Edge Processor (which full capabilities I'm not aware of yet), there's no reliable way to do so. 1. Splunk on its own doesn't store metadata on the connection. So you can't reliably tell which forwarder the data came from. 2. Splunk doesn't differentiate between data locally ingested and received on network inputs. So you can't do something like "those UFs can only send to specific set of indexes". You can set up a Heavy Forwarder receiving data from those untrusted UFs and create rulesets (transforms won't catch indexed extractions) globally limiting processing to given indexes (sending others to nullQueue). I think that's the only limit you can impose with such setup. ... View more