https://community.splunk.com/t5/Getting-Data-In/IIS-filter-transform-not-processing-when-forwarded-from/m-p/369058#M67012 <P>This works as is. Just have to make sure to place the file in the right spot, restart the UF and <EM>WAIT</EM>. It took a little while for events with the correct filter to come in. I'm guessing there was a queue somewhere between sending to Splunk and applying the props/transforms.</P> Wed, 25 Oct 2017 22:36:10 GMT JacobCarrell 2017-10-25T22:36:10Z https://community.splunk.com/t5/Getting-Data-In/IIS-filter-transform-not-processing-when-forwarded-from/m-p/369057#M67011 <P>I've found many entries on the subject of filtering IIS logs, with people saying X has worked. However, I'm not able to get it fully working. If I copy an IIS log that should be filtered to the server and import it manually it works (as far as I can tell, I only went to preview) but if I use a UF from a server 2003 (so older UF version) box, to the Splunk server on windows 2012 (6.6.3), it doesn't get filtered. Any help here? </P> <PRE><CODE>Props.conf: [iis] TRANSFORMS-ignoredpages= iis_ignoredpages Transforms.conf: [iis_ignoredpages] #SOURCE_KEY=field:cs_uri_stem REGEX=(Page1|Page2) DEST_KEY= queue FORMAT=nullQueue </CODE></PRE> <P>Page1 and Page2 are only part of the cs-uri-stem (that's its name in the IIS logs, but Splunk seems to turn it into cs_uri_stem), instead they're like companyname.product.page1/service.asmx or companyname.product/page2.asmx</P> <P>I've tried placing the props and transforms files on both the system/local directory of the UF and the Splunk receiver, restarted both and it continued to process the unwanted pages. </P> <P>I understand that it looks like UF itself can't filter these lines, but that it processes them sufficiently to get past props and transforms on the Splunk machine. <STRONG>I assume there's a way I can make Universal Fowarder send the logs RAW and the Spunk box will go "OH, W3C, process normally," but how do I do that?</STRONG> </P> <P>---- Less relevant ----<BR /> Filtering out these pages is absolutely critical as they're hundreds of thousands of internal calls that would spam the Splunk logs, and overwhelm our 500mb/day limit that I need to stay under for proof of concept. </P> Tue, 29 Sep 2020 16:02:59 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-filter-transform-not-processing-when-forwarded-from/m-p/369057#M67011 JacobCarrell 2020-09-29T16:02:59Z https://community.splunk.com/t5/Getting-Data-In/IIS-filter-transform-not-processing-when-forwarded-from/m-p/369058#M67012 <P>This works as is. Just have to make sure to place the file in the right spot, restart the UF and <EM>WAIT</EM>. It took a little while for events with the correct filter to come in. I'm guessing there was a queue somewhere between sending to Splunk and applying the props/transforms.</P> Wed, 25 Oct 2017 22:36:10 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-filter-transform-not-processing-when-forwarded-from/m-p/369058#M67012 JacobCarrell 2017-10-25T22:36:10Z