This should be relatively simple, but I cannot find discussion or documentation on it. I suspect that Splunk assumes if a universal forwarder is installed, the data is wanted. The problem is that there is a UF out of my control with a misconfigured index name. I would like to blacklist it until the owner can fix it.
How would I blacklist a UF?
Like this:
1: In props.conf, set the TRANSFORMS-null attribute:
[host::BadUniversalForwarderHostIdentifierHere]
TRANSFORMS-null = TrashEverything
2: Create a corresponding stanza in transforms.conf. Set DEST_KEY
to queue
and FORMAT
to nullQueue
:
[TrashEverything]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
3: Deploy to all Indexers and restart all Splunk instances there.
Like this:
1: In props.conf, set the TRANSFORMS-null attribute:
[host::BadUniversalForwarderHostIdentifierHere]
TRANSFORMS-null = TrashEverything
2: Create a corresponding stanza in transforms.conf. Set DEST_KEY
to queue
and FORMAT
to nullQueue
:
[TrashEverything]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
3: Deploy to all Indexers and restart all Splunk instances there.
Yeah this is great option if you can restart indexers. The "blacklisting" word put me in a different direction, but nullQueueing is in effect the same. Thanks woodcock!
Yeah, I have full control of the central Splunk Infrastructure: SH, Indexers, HF, DS. So, Let me accept this and will update the answer if I need to in the future.
Do you control the UF from your deployment server? If not you should.
Your options are blocking the src_ip at the firewall... (iptables on linux, windows firewall will do the trick too)
Asking UF owner to turn off UF.
IF you have UF password you can probably disable via REST calls.
Well, I let the question stand because I figured some good discussion or tips may come from it but it was in my DS so I took care of it (i think) from there.
I assume splunk doesn't want you to blacklist forwarders because they should be controlled via the DS. And if you had a config file somewhere blacklisting them you might spend days trying to figure out why they arent sending data in, etc.
Yeah, that makes sense