Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need to limit iis logs to 4xx and 5xx statuses in universal forwarder

agatesoftware
New Member
‎10-15-2019 01:14 PM

I am trying to limit the input of iis logs to only 4xx and 5xx vaqlues in the sc_status field. In the etc\system\local directory I have created an inputs.conf, props.conf. and transforms.conf files with the following entries. I have tried many variations of the REGEX entry in the transforms.conf but nothing seems to work. It is currently set to only get 4xx statuses. Please help

inputs.conf
[monitor://C:\inetpub\logs\LogFiles\W3SVC3]
disabled=false
followTail = 0
sourcetype=iis

props.conf
[iis]
TRANSFORMS-HttpErrorsOnly=HttpErrorsOnly

transforms.conf
[HttpErrorsOnly]
SOURCE_KEY=field:sc_status
REGEX=4[0-9][0-9]
DEST_KEY=queue
FORMAT=nullQueue

Tags (1)
0 Karma
Reply

jdhunter
Path Finder
‎10-15-2019 02:21 PM

Props and transforms will not parse the data on Universal Forwarders. See - https://answers.splunk.com/answers/27373/universal-forwarder-and-props-conf-and-transforms-conf.html

You might be able to use whitelist in inputs.conf. I have used this method for Windows event codes, but haven't done it on IIS logs.

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...