Archive

Need to limit iis logs to 4xx and 5xx statuses in universal forwarder

New Member

I am trying to limit the input of iis logs to only 4xx and 5xx vaqlues in the sc_status field. In the etc\system\local directory I have created an inputs.conf, props.conf. and transforms.conf files with the following entries. I have tried many variations of the REGEX entry in the transforms.conf but nothing seems to work. It is currently set to only get 4xx statuses. Please help

inputs.conf
[monitor://C:\inetpub\logs\LogFiles\W3SVC3]
disabled=false
followTail = 0
sourcetype=iis

props.conf
[iis]
TRANSFORMS-HttpErrorsOnly=HttpErrorsOnly

transforms.conf
[HttpErrorsOnly]
SOURCE_KEY=field:sc_status
REGEX=4[0-9][0-9]
DEST_KEY=queue
FORMAT=nullQueue

Tags (1)
0 Karma

Path Finder

Props and transforms will not parse the data on Universal Forwarders. See - https://answers.splunk.com/answers/27373/universal-forwarder-and-props-conf-and-transforms-conf.html

You might be able to use whitelist in inputs.conf. I have used this method for Windows event codes, but haven't done it on IIS logs.

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

0 Karma