How to blacklist data while indexing and forwarding

In some installations of Splunk, there comes the need to prevent data from being indexed. Normally, this is done by sending data to the "nullqueue". However, routing to this queue is not possible when setting up data to be indexed and forwarded. Instead, you must tell Splunk to route the data to a non-existent location.

Assume I have a sourcetype=webdata. Setup a stanza for routing in the props.conf file:

[webdata]
TRANSFORMS-webdata-route = webdata-route

Set the stanza in transforms.conf to route to the output queue, but use a FORMAT that is not included in outputs.conf:

[webdata-route]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = nowebdataroute

By sending the data to _TCP_ROUTING instead of nullqueue, the data will still be indexed if you set the flag for "indexandforward" in the default group for outputs.conf. Using the "nowebdataroute" as the FORMAT value will set this data so that it does not get sent anywhere. If you created a routing group called nowebdataroute in outputs.conf, this data would go to the destination specified in that stanza.