- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- IIS Log Files parsing and Removing Load Balance He...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IIS Log Files parsing and Removing Load Balance Health Check
I,m using the new 7.0.0 version of Splunk at my distributed installation (Indexer,Search Head) and i´m trying to parse iis logs from a Windows Server 2016.
The parsing is working but i´ve tried to avoid some noise (Probe validation from Load Balancer) using "nullqueue" but somehow, that it´s not working.
The noisy probe logs still is coming...
Here we go:
Part of of the IIS log file:
Software: Microsoft Internet Information Services 10.0
Version: 1.0
Date: 2017-09-30 18:22:33
Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken
2017-09-30 18:22:33 W3SVC6 10.50.10.40 GET / - 25002 - 168.63.129.16 Load+Balancer+Agent - 100.76.216.215:25002 200 0 0 718
2017-09-30 18:22:38 W3SVC6 10.50.10.40 GET / - 25002 - 168.63.129.16 Load+Balancer+Agent - 100.76.216.215:25002 200 0 0 15
2017-09-30 18:22:43 W3SVC6 10.50.10.40 GET / - 25002 - 168.63.129.16 Load+Balancer+Agent - 100.76.216.215:25002 200 0 0 15
2017-09-30 18:22:48 W3SVC6 10.50.10.40 GET / - 25002 - 168.63.129.16 Load+Balancer+Agent - 100.76.216.215:25002 200 0 0 15
2017-09-30 18:22:53 W3SVC6 10.50.10.40 GET / - 25002 - 168.63.129.16 Load+Balancer+Agent - 100.76.216.215:25002 200 0 0 15
2017-09-30 18:22:58 W3SVC6 10.50.10.40 GET / - 25002 - 168.63.129.16 Load+Balancer+Agent - 100.76.216.215:25002 200 0 0 15
2017-09-30 18:23:03 W3SVC6 10.50.10.40 GET / - 25002 - 168.63.129.16 Load+Balancer+Agent - 100.76.216.215:25002 200 0 0 0
2017-09-30 18:23:08 W3SVC6 10.50.10.40 GET / - 25002 - 168.63.129.16 Load+Balancer+Agent - 100.76.216.215:25002 200 0 0 15*
*inputs.conf (at C:\Program Files\SplunkUniversalForwarder\etc\system\local) Universal Forwarder *
[monitor://C:\Logs\IIS\W3SV**.log]
index = private_backend
sourcetype = iis
disabled = false
ignoreOlderThan = 0d
*/opt/splunk/etc/system/local/props.conf (at the Indexer server) *
[iis]
TRANSFORMS-null=remove_log_probe
*/opt/splunk/etc/system/local/transforms.conf (at the Indexer server) *
[remove_log_probe]
REGEX=Load\SBalancer\SAgent
DEST_KEY=queue
FORMAT=nullQueue
I´m definetily missing something (maybe silly rsrsr). Can, please, somebody help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi felipemn,
I'm not sure to have understood your need: do you want to discard events where there is Load+Balancer+Agent ?
If this is your need your regex is correct, also if I'd use Load\+Balancer\+Agent
Anyway, as you can see in http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad , I think that you have to modify:
props.conf
[iis]
TRANSFORMS-null=set_index,remove_log_probe
transforms.conf
[remove_log_probe]
REGEX = Load\+Balancer\+Agent
DEST_KEY = queue
FORMAT = nullQueue
[set_index]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Giuseppe
Thanks for the help. Unfortunatelly it didn´t work yet.
Is there any way to debug the process of parsing and check whats going on?
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
