Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I block a sourcetype from being indexed?

dhaffner
Path Finder
‎08-06-2010 01:47 PM

We have a huge sudden input of a specific sourcetype and it is overloading the license. Can we somehow block it or set it to drop so they do not get indexed and make us go over our license? Any ideas welcome, but we do not use iptables and are not able to block it at the network level, so it would have to be something in Splunk.

Thanks

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎08-06-2010 01:52 PM

A simple configuration like this should work. Depending on if you have forwarders (and if there are lightweight or not) may change where you need to deploy these settings to.

props.conf

[my_out_of_control_sourcetype]
TRANFORMS-dropall = drop_events

transforms.conf

[drop_events]
DEST_KEY = queue
REGEX   = .
FORMAT   = nullQueue

Simply replace "my_out_of_control_sourcetype" with the name of the sourectype you want to silence.

View solution in original post

Reply
Solved! Jump to solution

dhaffner
Path Finder
‎08-12-2010 02:06 PM

For some reason, this seems to have stopped working. Any other ideas? Thank you!

0 Karma
Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎08-06-2010 01:52 PM

A simple configuration like this should work. Depending on if you have forwarders (and if there are lightweight or not) may change where you need to deploy these settings to.

props.conf

[my_out_of_control_sourcetype]
TRANFORMS-dropall = drop_events

transforms.conf

[drop_events]
DEST_KEY = queue
REGEX   = .
FORMAT   = nullQueue

Simply replace "my_out_of_control_sourcetype" with the name of the sourectype you want to silence.

Reply
Solved! Jump to solution

Lowell
Super Champion
‎08-13-2010 02:51 PM

That's weird. It shouldn't have worked and then stopped working. Have you confirmed that no other part of your configuration changed? Are you blocking based on sourcetype or based on a host entry? Posting your exact config may be helpful too.

0 Karma
Reply
Solved! Jump to solution

dhaffner
Path Finder
‎08-12-2010 02:07 AM

For some reason, this seems to have stopped working. Any other ideas?
Thank you!

0 Karma
Reply
Solved! Jump to solution

dhaffner
Path Finder
‎08-06-2010 03:59 PM

excellent! Thank you! seems to be working great.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...