Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filter Client IP from IIS 7.5 Logs

rmsit
Communicator
‎04-01-2016 09:15 AM

Hello, all.

I would like to filter out a specific client IP address from my IIS logs. What would be the best approach, have the UF or indexer perform the filtering and how do I go about doing that? Configuration for indexer below. Thanks! - James

Props.conf
[iis]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
CHECK_FOR_HEADER = False
TZ = GMT
REPORT-iisw3cfields = iisw3cfields
TRANSFORMS-removecomments = removecomments

Transforms.conf

IIS W3C Log field extractions (Identical in IIS 6 and 7)

These assume that you have enabled all available fields to be logged

[iisw3cfields]
DELIMS = " "
FIELDS = date,time,s_sitename,s_computername,s_ip,cs_method,cs_uri_stem,cs_uri_query,s_port,cs_username,c_ip,cs_version,cs(User_Agent),cs(Cookie),cs(Referer),cs_host,sc_status,sc_substatus,sc_win32_status,sc_bytes,cs_bytes,time_taken

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎04-01-2016 11:07 AM

It is generally best to filter at the indexer, because you want to keep the forwarder as lightweight as possible (since it is usually running on a production server). But you can't filter on a universal forwarder anyway - it doesn't do parsing. All of the filtering settings must go on the indexer, as filtering happens during parsing time.

Add to props.conf

TRANSFORMS-filter1 = filter_ip

Add to transforms.conf

[filter_ip]
REGEX = 192\.168\.1\.172
DEST_KEY = queue
FORMAT = nullQueue

You could make the regular expression more specific; in my example, it is looking for an IP address that appears anywhere in the event.

BTW, I notice that you have TRANSFORMS-removecomments = removecomments in your props.conf, but no corresponding stanza in transforms.conf...

0 Karma
Reply

rmsit
Communicator
‎04-01-2016 01:04 PM

I may have answered by own question. I will see if this works. Thanks again.

REGEX = c_ip=("192.80.134.59|192.67.213.194|192.67.213.166")

0 Karma
Reply

lguinn2
Legend
‎04-01-2016 01:37 PM

You should not include the field name c_ip

At this point in the parsing process, Splunkcan't use the field names. So it should be

REGEX = 192.80.134.59|192.67.213.194|192.67.213.166

Or maybe there is a way... but it won't be using the regex that you showed. I'll look it up...

0 Karma
Reply

montgomeryam
Path Finder
‎09-30-2016 09:48 AM

@lguinn Did you by chance have a chance to look this up and determine how to filter by field names?

I am trying to do the same, but not having any luck.

0 Karma
Reply

rmsit
Communicator
‎04-01-2016 12:12 PM

Thanks so much. So if I wanted to drop a specific IP addresses from field "c_ip", I would specify this in transforms.conf? How could I specific multiple IP addresses not on the same subnet?

[filter_ip]
REGEX = c_ip=192.168.1.254
DEST_KEY = queue
FORMAT = nullQueue

0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Top