Solved: Re: IIS failedRequests - How to define line breaki...

rune_hellem · ‎11-10-2014

I am trying to configure Splunk to index IIS failedrequests. My priority is

To have Splunk indexing the Event- tags correctly
To index the single Failedrequest-tag which every file starts with
And then finally least imporant ignoring XML declarations and comments (to avoid DateParserErrors)

My current config

props.conf

[iisfailedrequests]
TIME_FORMAT=%Y-%m-%dT%T.%L
TIME_PREFIX=<TimeCreated SystemTime=\"
MAX_TIMESTAMP_LOOKAHEAD=128
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=^<Event|^<failedRequest
TRANSFORMS-removexml = removexml

transforms.conf

[removexml]
REGEX = (^\<\?xml.*|^\<\!--.*)
DEST_KEY = queue
FORMAT = nullQueue

And an example

<?xml version="1.0" encoding="UTF-8" ?>
<?xml-stylesheet type='text/xsl' href='freb.xsl'?>
<!-- saved from url=(0014)about:internet -->
<failedRequest url="http://server.company.domain/SAFService/SAFService.svc"
               siteId="7"
               appPoolId="SafServiceAppPool"
               processId="3872"
               verb="POST"
               remoteUserName=""
               userName=""
               tokenUserName="NT AUTHORITY\IUSR"
               authenticationType="anonymous"
               activityId="{00000000-0000-0000-977F-0080000000FD}"
               failureReason="STATUS_CODE"
               statusCode="500"
               triggerStatusCode="500"
               timeTaken="59782"
               xmlns:freb="http://schemas.microsoft.com/win/2006/06/iis/freb"
               >
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
  <Provider Name="WWW Server" Guid="{3A2A4E84-4C21-4981-AE10-3FDADADA0D9B0F83}"/>
  <EventID>0</EventID>
  <Version>1</Version>
  <Level>0</Level>
  <Opcode>1</Opcode>
  <Keywords>0x0</Keywords>
  <TimeCreated SystemTime="2014-10-30T09:51:21.274Z"/>
  <Correlation ActivityID="{00000000-0000-0000-977F-0080000000FD}"/>
  <Execution ProcessID="3872" ThreadID="3460"/>
  <Computer>KLPDSTCPH050V</Computer>
 </System>
 <EventData>
  <Data Name="ContextId">{00000000-0000-0000-977F-0080000000FD}</Data>
  <Data Name="SiteId">7</Data>
  <Data Name="AppPoolId">SafServiceAppPool</Data>
  <Data Name="ConnId">1610645394</Data>
  <Data Name="RawConnId">0</Data>
  <Data Name="RequestURL">http://server.company.domain/SAFService/SAFService.svc</Data>
  <Data Name="RequestVerb">POST</Data>
 </EventData>
 <RenderingInfo Culture="nb-NO">
  <Opcode>GENERAL_REQUEST_START</Opcode>
 </RenderingInfo>
 <ExtendedTracingInfo xmlns="http://schemas.microsoft.com/win/2004/08/events/trace">
  <EventGuid>{D42CF7EF-DE92-473E-8B6C-621EAADADE663113A}</EventGuid>
 </ExtendedTracingInfo>
</Event>

rune_hellem · ‎11-12-2014

It turned out that all above is correct, but I was not aware of the need to restart Splunk - I did only

splunk reload deploy-server

So now when I checked a few days later, all was fine.

View solution in original post

rune_hellem · ‎11-12-2014

It turned out that all above is correct, but I was not aware of the need to restart Splunk - I did only

splunk reload deploy-server

So now when I checked a few days later, all was fine.

IIS failedRequests - How to define line breaking for XML / Filter events in XML to nullQueue

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

IIS failedRequests - How to define line breaking for XML / Filter events in XML to nullQueue

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases