Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to blacklist a Universal Forwarder?

ccsfdave
Builder
‎06-06-2016 07:01 AM

This should be relatively simple, but I cannot find discussion or documentation on it. I suspect that Splunk assumes if a universal forwarder is installed, the data is wanted. The problem is that there is a UF out of my control with a misconfigured index name. I would like to blacklist it until the owner can fix it.

How would I blacklist a UF?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-06-2016 08:44 AM

Like this:

1: In props.conf, set the TRANSFORMS-null attribute:

[host::BadUniversalForwarderHostIdentifierHere]
TRANSFORMS-null = TrashEverything

2: Create a corresponding stanza in transforms.conf. Set DEST_KEY to queue and FORMATto nullQueue:

[TrashEverything]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

3: Deploy to all Indexers and restart all Splunk instances there.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-06-2016 08:44 AM

Like this:

1: In props.conf, set the TRANSFORMS-null attribute:

[host::BadUniversalForwarderHostIdentifierHere]
TRANSFORMS-null = TrashEverything

2: Create a corresponding stanza in transforms.conf. Set DEST_KEY to queue and FORMATto nullQueue:

[TrashEverything]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

3: Deploy to all Indexers and restart all Splunk instances there.

Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎06-06-2016 08:47 AM

Yeah this is great option if you can restart indexers. The "blacklisting" word put me in a different direction, but nullQueueing is in effect the same. Thanks woodcock!

0 Karma
Reply
Solved! Jump to solution

ccsfdave
Builder
‎06-06-2016 09:00 AM

Yeah, I have full control of the central Splunk Infrastructure: SH, Indexers, HF, DS. So, Let me accept this and will update the answer if I need to in the future.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎06-06-2016 07:48 AM

Do you control the UF from your deployment server? If not you should.

Your options are blocking the src_ip at the firewall... (iptables on linux, windows firewall will do the trick too)

Asking UF owner to turn off UF.

IF you have UF password you can probably disable via REST calls.

0 Karma
Reply
Solved! Jump to solution

ccsfdave
Builder
‎06-06-2016 07:52 AM

Well, I let the question stand because I figured some good discussion or tips may come from it but it was in my DS so I took care of it (i think) from there.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎06-06-2016 08:17 AM

I assume splunk doesn't want you to blacklist forwarders because they should be controlled via the DS. And if you had a config file somewhere blacklisting them you might spend days trying to figure out why they arent sending data in, etc.

0 Karma
Reply
Solved! Jump to solution

ccsfdave
Builder
‎06-06-2016 08:41 AM

Yeah, that makes sense

0 Karma
Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...