The TCP input for splunk (see inputs.conf specification), has attribute acceptFrom using which you can specify whitelist/blacklist of IP addresses from which you don't want to accept data.

[tcp://<remote server>:<port>]
....
acceptFrom = <network_acl> ...   

* Lists a set of networks or addresses to accept connections from.
* Separate multiple rules with commas or spaces.
* Each rule can be in one of the following formats:
    1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
    2. A Classless Inter-Domain Routing (CIDR) block of addresses
       (examples: "10/8", "fe80:1234/32")
    3. A DNS name, possibly with a '*' used as a wildcard
       (examples: "myhost.example.com", "*.splunk.com")
    4. A single '*' which matches anything
* You can also prefix an entry with '!' to cause the rule to reject the
  connection. The input applies rules in order, and uses the first one that
  matches.
  For example, "!10.1/16, *" allows connections from everywhere except
  the 10.1.*.* network.
* Defaults to "*" (accept from anywhere)

For your use-case, you'd setup something like this

acceptFrom = !<IPAddress1>, !<IPAddress2>, *

Hey
This is done by defining a regex to match the event(s) and send them to nullqueue

Here is a basic example that will drop the events that you do not want in logs.
Let suppose you have ip 192.168.10.11 in the events and you want exclude these events

Then put:
in transforms.conf

 [setnull]
  REGEX = 192\.168\.10\.11
  DEST_KEY = queue
  FORMAT = nullQueue

And in props.conf

[your_sourcetype]
  # Transforms must be applied in this order
  # to make sure events are dropped on the
  # floor prior to making their way to the
  # index processor
  TRANSFORMS-null = setnull

Do this on the indexers and then restart splunkd.
Let me know if this helps!