You can't really block a sourcetype in the sense of stopping traffic from coming in except by disabling the input which is responsible for handling this data. If you didn't want this data coming in any longer, you can blacklist it at the input level.
http://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata
You can also route data you don't want indexed to nullQueue using the instructions here:
You can't really remove data in a surgical fashion. You can | delete it, but that won't reclaim the space used by the events.
Your options for removing data are discussed here:
http://docs.splunk.com/Documentation/Splunk/latest/Indexer/RemovedatafromSplunk
You can't really block a sourcetype in the sense of stopping traffic from coming in except by disabling the input which is responsible for handling this data. If you didn't want this data coming in any longer, you can blacklist it at the input level.
http://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata
You can also route data you don't want indexed to nullQueue using the instructions here:
You can't really remove data in a surgical fashion. You can | delete it, but that won't reclaim the space used by the events.
Your options for removing data are discussed here:
http://docs.splunk.com/Documentation/Splunk/latest/Indexer/RemovedatafromSplunk