We have client logs getting indexed using Rest API and our license is overloaded with high volume. Because of REST API setup, we don't have a forwarder pushing logs to Splunk indexer-- it's getting indexed directly from user machines. Is there any way we can just blacklist the index or source type?
Thanks
Deploy the following to your indexer(s) or whatever is your next hop after the collection layer:
In props.conf:
[yoursourcetypename]
TRANSFORMS-null= setnull
In transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
More details here:
http://docs.splunk.com/Documentation/Splunk/6.3.2/Forwarding/Routeandfilterdatad#Filter_event_data_a...
I think you can also prefilter this in your clients if you have already specify the index name at collection time. See this: http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Routeandfilterdatad#Filter_data_by_targ...
Deploy the following to your indexer(s) or whatever is your next hop after the collection layer:
In props.conf:
[yoursourcetypename]
TRANSFORMS-null= setnull
In transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
More details here:
http://docs.splunk.com/Documentation/Splunk/6.3.2/Forwarding/Routeandfilterdatad#Filter_event_data_a...
I think you can also prefilter this in your clients if you have already specify the index name at collection time. See this: http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Routeandfilterdatad#Filter_data_by_targ...