Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Filtering Out Load Balancer Health Checks in IIS Logs

dlofstrom
Path Finder
‎05-03-2013 06:30 AM

I'm in the process of evaluating the Splunk for Exchange app and am having a bit of trouble with the TA for IIS (via the vanilla Universal Forwarder install). We have a lot of noise in our logs related to load balancer health checks that I'd like to filter out before it hits the indexers. I set up my props.conf and transforms.conf files as follows, but it still seems to be capturing those health checks. I've triple checked the regex using an online tool, so I'm pretty sure it's correct, but I'm wondering if anyone can pinpoint what might be going wrong, or where I might troubleshoot it further.

props.conf:
[MSWindows:2008R2:IIS]
TZ = GMT
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
TRANSFORMS-comments = ignore_comments
TRANSFORMS-balancer = ignore_lbchecks

transforms.conf
[ignore_comments]
REGEX = ^#.*
DEST_KEY = queue
FORMAT = nullQueue

[ignore_lbchecks]
REGEX = ^.\sKEMP\S\s.*
DEST_KEY = queue
FORMAT = nullQueue

Sample log record:
2013-03-02 00:00:00 192.168.40.224 HEAD /owa - 443 - 192.168.40.222 KEMP+1.0 - - 301 0 0 245 81 0

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎05-03-2013 07:16 AM

There is not space after KEMP in your sample.
You also can try with a smaller regex, no need to try to match the full line.

[ignore_lbchecks]
REGEX =\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\sKEMP
DEST_KEY = queue
FORMAT = nullQueue

To verify, try this search in splunk

sourcetype=iis KEMP | regex _raw="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\sKEMP"

also you can use a single transforms line in props.conf

TRANSFORMS-filternullQueue = ignore_comments, ignore_lbchecks

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎05-03-2013 07:16 AM

There is not space after KEMP in your sample.
You also can try with a smaller regex, no need to try to match the full line.

[ignore_lbchecks]
REGEX =\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\sKEMP
DEST_KEY = queue
FORMAT = nullQueue

To verify, try this search in splunk

sourcetype=iis KEMP | regex _raw="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\sKEMP"

also you can use a single transforms line in props.conf

TRANSFORMS-filternullQueue = ignore_comments, ignore_lbchecks

0 Karma
Reply
Solved! Jump to solution

dlofstrom
Path Finder
‎05-03-2013 01:45 PM

That was it! Thanks for clarifying.

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎05-03-2013 09:52 AM

That's why

To clarify the setup, this config is running on the Universal Forwarder on one of our Exchange servers, under the TA folder's 'local' directory. The indexer as far as I know shouldn't need these configs as it's my understanding the parsing is done at the forwarder, correct?

The parsing /filtering occurs on the indexers (or heavy forwarder) only.
please move your props/transforms to the indexer.

0 Karma
Reply
Solved! Jump to solution

dlofstrom
Path Finder
‎05-03-2013 08:17 AM

I must still be doing something wrong because it still captures the load balancer lines.

I updated the regex after confirming it via search, then updated TRANSFORMS to a single comma separated line as suggested above.

To clarify the setup, this config is running on the Universal Forwarder on one of our Exchange servers, under the TA folder's 'local' directory. The indexer as far as I know shouldn't need these configs as it's my understanding the parsing is done at the forwarder, correct?

0 Karma
Reply
Solved! Jump to solution

dlofstrom
Path Finder
‎05-03-2013 06:37 AM

Here's the corrected props.conf/transforms.conf code. The style I chose stripped out the backslashes and for some reason captcha keeps failing whenever I try to edit it...

props.conf

[MSWindows:2008R2:IIS]
TZ = GMT
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
TRANSFORMS-comments = ignore_comments
TRANSFORMS-balancer = ignore_lbchecks

transforms.conf
[ignore_comments]
REGEX = ^#.*
DEST_KEY = queue
FORMAT = nullQueue

[ignore_lbchecks]
REGEX = ^.*\sKEMP\S*\s.*
DEST_KEY = queue
FORMAT = nullQueue
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...