We've reached our license limit. So, at the indexer, I want to drop all log entries destined to a specific index. Documentation is clear how to do that on a heavy forwarder, for example, but I haven't found any documentation of how to drop all traffic to a specific index at the indexer. Props.conf looked promising but it doesn't support an index key. In props.conf, I was expecting that I could create a stanza like this:
[index::development] # This key is not listed in the props.conf.spec
TRANSFORMS-blackhole = blackhole
and in transforms.conf:
[blackhole]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
It just seems there has to be a way, but I haven't been able to discover it.
... View more