https://community.splunk.com/t5/Splunk-Search/How-to-configure-regex-for-transforms-conf-and-props-conf-to/m-p/128984#M35066 <P>That's likely due to the iis index not being listed in your user's role's "indexes searched by default", so when not specifying an index in the search it probably just looks in the main index.</P> Wed, 17 Sep 2014 23:02:55 GMT martin_mueller 2014-09-17T23:02:55Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-regex-for-transforms-conf-and-props-conf-to/m-p/128981#M35063 <P>Trying to dump off what seems like a simple thing to do from raw iis logs.<BR /><BR /> just want to not allow this to index: cs_uri_stem = /CLBOnline/AppOnline</P> <P>my props.conf is<BR /> [iis]<BR /> TRANSFORMS-set = setnull1</P> <P>my transforms.conf is</P> <H1>bit bucket for IIS</H1> <P>[setnull1]<BR /> REGEX=\/CLBOnline\/AppOnline<BR /><BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>I'm running Splunk 6.1</P> Mon, 28 Sep 2020 17:36:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-regex-for-transforms-conf-and-props-conf-to/m-p/128981#M35063 cdupuis123 2020-09-28T17:36:48Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-regex-for-transforms-conf-and-props-conf-to/m-p/128982#M35064 <P>Can you confirm that your sourcetype is correctly set to iis? I had this problem and found it was being set to iis-2.</P> Wed, 17 Sep 2014 21:13:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-regex-for-transforms-conf-and-props-conf-to/m-p/128982#M35064 Richfez 2014-09-17T21:13:50Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-regex-for-transforms-conf-and-props-conf-to/m-p/128983#M35065 <P>Maybe that's my issue, I'm pumping these IIS logs into an iis index, when I search index=iis the sourcetype of iis comes back, but when I search sourcetype=iis I get nothing?????</P> Wed, 17 Sep 2014 22:43:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-regex-for-transforms-conf-and-props-conf-to/m-p/128983#M35065 cdupuis123 2014-09-17T22:43:47Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-regex-for-transforms-conf-and-props-conf-to/m-p/128984#M35066 <P>That's likely due to the iis index not being listed in your user's role's "indexes searched by default", so when not specifying an index in the search it probably just looks in the main index.</P> Wed, 17 Sep 2014 23:02:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-regex-for-transforms-conf-and-props-conf-to/m-p/128984#M35066 martin_mueller 2014-09-17T23:02:55Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-regex-for-transforms-conf-and-props-conf-to/m-p/128985#M35067 <P>ya I figured that out martin, thanks regex is still stumping me....</P> Wed, 17 Sep 2014 23:05:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-regex-for-transforms-conf-and-props-conf-to/m-p/128985#M35067 cdupuis123 2014-09-17T23:05:08Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-regex-for-transforms-conf-and-props-conf-to/m-p/128986#M35068 <P><EM>Update</EM> apparently in Splunk v6 we can now transform IIS, &amp; csv logs on the Universal Forwarder! News to me. Next hurtle (for me) was getting it to work on the UF, as it would work fine in the etc\system\local (not possible I think from a deployment server) but wouldn't work in the app directory. My SE pointed out the fact that I needed to basically declare in the app metadata directory add to the default.meta:<BR /> [props]<BR /> export = system<BR /> [transforms]<BR /> export = system</P> <P>I've learned something new, and hope others figured this out faster than I!!!! Regardless it's documented now.</P> <P>Thanks Jeff</P> Mon, 29 Sep 2014 18:50:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-regex-for-transforms-conf-and-props-conf-to/m-p/128986#M35068 cdupuis123 2014-09-29T18:50:02Z