Is there any efficient way to block queries without the sourcetype? Educating users is not working and we wanted to block it so that there is no degradation of the environment
Hi
probably you could try Splunk Workload management for it. At least it works if users try to run queries without index=xyz. See more https://docs.splunk.com/Documentation/Splunk/latest/Workloads/WorkloadRules
r. Ismo