topic Re: Splunk 6 - IIS nullQueue in Getting Data In

Splunk 6 - IIS nullQueue

rtafoya — Wed, 19 Feb 2014 21:17:27 GMT

I'm trying to route certain IIS logs to the nullQueue but it doesn't seem to be working.
the IIS log entry looks like this:

2014-02-19 20:31:06 W3SVC1 Server1 10.10.10.1 GET /login.aspx - 80 - 10.10.1.1 HTTP/1.1 HTTP_monitor/10.0 - - websitelogin.com 200 0 0 5212 87 15

On my Indexer, I have setup /etc/system/local/props.conf like this:

[iis*]
TRANSFORMS-set = dropHTTPmonitor

Then I have /etc/system/local/transforms.conf like this:

[dropHTTPmonitor]
REGEX = (10\.10\.1\.1).*(HTTP_monitor\/10\.0)
DEST_KEY = queue
FORMAT = nullQueue

Restarted splunkd and splunk is still not dropping the events as I think it should. I tried simplifying the regex down to just (HTTP_monitor) and that didn't seem to work either.

Any ideas? (Splunk Enterprise 6.0.1 and universial forwarder 6.0.1-189883 (x64))

Re: Splunk 6 - IIS nullQueue

dmaislin_splunk — Wed, 19 Feb 2014 21:44:42 GMT

Just this?

[dropHTTPmonitor]
REGEX = HTTP_monitor
DEST_KEY = queue
FORMAT = nullQueue

Re: Splunk 6 - IIS nullQueue

dmaislin_splunk — Wed, 19 Feb 2014 21:46:19 GMT

Just know that it will only drop newly added events. The old events with that log line will still be there unless you add the role of Can_Delete and run a search to

* HTTP_monitor | delete

Re: Splunk 6 - IIS nullQueue

rtafoya — Wed, 19 Feb 2014 22:26:33 GMT

Thanks. Yes, I am aware that the already indexed events will not be dropped.

Re: Splunk 6 - IIS nullQueue

dmaislin_splunk — Wed, 19 Feb 2014 22:28:04 GMT

Does my suggestion above work?

Re: Splunk 6 - IIS nullQueue

rtafoya — Wed, 19 Feb 2014 22:31:54 GMT

I tried using the regex you suggested above, but that did not work.
Maybe this has to do with the new INDEXED_EXTRACTIONS settings for iis in Splunk 6.0?

Re: Splunk 6 - IIS nullQueue

dmaislin_splunk — Wed, 19 Feb 2014 22:53:19 GMT

Oh, did not know you were getting your header info that way. Try the 5.x method using either DELIMS or just plain old EXTRACT or a REPORT with props and transforms and see if that works.

Re: Splunk 6 - IIS nullQueue

rtafoya — Thu, 20 Feb 2014 15:36:50 GMT

How would I go about changing this in Splunk 6? the Default props.conf has the INDEXED_EXTRACTIONS setting. Do I just place a [iis] stanza in my local props.conf and set everything as i did with Splunk 5x iis extractions?

Re: Splunk 6 - IIS nullQueue

dmaislin_splunk — Thu, 20 Feb 2014 16:21:13 GMT

You have complete control over any given sourcetype so to make it easier I always start with not using IIS since that is one of the default source types for Splunk. Further, once you have control over your sourcetype then you can do any preferred field extractions the way you want and your nullqueue will be fine.

Re: Splunk 6 - IIS nullQueue

rtafoya — Thu, 20 Feb 2014 22:50:55 GMT

Unfortunately, I had to resort to setting sourcetype on the forwarder to "iisw3c" then setup props.conf and transforms.conf like I did IIS in splunk 5. I really wish i could get the nullQueue transform working with the Splunk 6 "INDEXED_EXTRACTIONS".

Re: Splunk 6 - IIS nullQueue

cdupuis123 — Mon, 22 Sep 2014 20:00:42 GMT

rtafoya you ever figure this out? I'm have the same type issue trying to nullQueue some load balancer noise out of the indexer. thanks!