Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I block one forwarder from sending?

kst
Explorer
‎02-03-2012 04:45 AM

I have an indexer getting data from 24 hosts. We were well within our quota
until two hosts were added that, for whatever reason (misconfiguration, extremely
busy, etc.) are sending many GB. I have no control over these forwarders, I have to
wait for their admins to fix/reconfigure them. To keep from going over quota, I've
disabled port 9997 on the indexer until I can touch base with those admins. But is
there a way to stop accepting data from just those two offenders without shutting off
the other 24 forwarders? I'm at version 4.3, if that matters.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎02-03-2012 06:27 AM

You could always block that host from port 9997 using iptables on the indexer ...

View solution in original post

Reply
Solved! Jump to solution

the_wolverine
Champion
‎11-21-2013 11:08 AM

Splunk should have a configurable way to do this at the indexer level. A rogue forwarder can easily take out an indexer by sending crap data or large volumes of data.

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎02-03-2012 06:27 AM

You could always block that host from port 9997 using iptables on the indexer ...

Reply
Solved! Jump to solution

kst
Explorer
‎02-03-2012 06:48 AM

Thanks for the answers. FWIW, these were IIS logs being written to the default index.
I used iptables to shut 'em down.

Reply
Solved! Jump to solution

Brian_Osburn
Builder
‎02-03-2012 05:12 AM

Need a little bit more information - are these hosts writing to a specific index? Are there specific file source that's causing the issues?

If you have the host, you can do something like this on the indexer side:

transforms.conf:
[block_transform]
REGEX=DEBUG\s\[
DEST_KEY = queue
FORMAT = nullQueue

props.conf:
[host::yourservername]
TRANSFORMS-bad_log = block_transform

This was taken from http://splunk-base.splunk.com/answers/11617/route-unwanted-logs-to-a-null-queue

Reply
Solved! Jump to solution

the_wolverine
Champion
‎11-21-2013 11:07 AM

This is one way to do it but it consumes your indexer's resources to parse that data. Cheaper to block it from ever getting to your indexer.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...