Getting Data In

IIS failedRequests - How to define line breaking for XML / Filter events in XML to nullQueue

rune_hellem
Contributor

I am trying to configure Splunk to index IIS failedrequests. My priority is

  1. To have Splunk indexing the Event- tags correctly
  2. To index the single Failedrequest-tag which every file starts with
  3. And then finally least imporant ignoring XML declarations and comments (to avoid DateParserErrors)

My current config

props.conf

[iisfailedrequests]
TIME_FORMAT=%Y-%m-%dT%T.%L
TIME_PREFIX=<TimeCreated SystemTime=\"
MAX_TIMESTAMP_LOOKAHEAD=128
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=^<Event|^<failedRequest
TRANSFORMS-removexml = removexml

transforms.conf

[removexml]
REGEX = (^\<\?xml.*|^\<\!--.*)
DEST_KEY = queue
FORMAT = nullQueue

And an example

<?xml version="1.0" encoding="UTF-8" ?>
<?xml-stylesheet type='text/xsl' href='freb.xsl'?>
<!-- saved from url=(0014)about:internet -->
<failedRequest url="http://server.company.domain/SAFService/SAFService.svc"
               siteId="7"
               appPoolId="SafServiceAppPool"
               processId="3872"
               verb="POST"
               remoteUserName=""
               userName=""
               tokenUserName="NT AUTHORITY\IUSR"
               authenticationType="anonymous"
               activityId="{00000000-0000-0000-977F-0080000000FD}"
               failureReason="STATUS_CODE"
               statusCode="500"
               triggerStatusCode="500"
               timeTaken="59782"
               xmlns:freb="http://schemas.microsoft.com/win/2006/06/iis/freb"
               >
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
  <Provider Name="WWW Server" Guid="{3A2A4E84-4C21-4981-AE10-3FDADADA0D9B0F83}"/>
  <EventID>0</EventID>
  <Version>1</Version>
  <Level>0</Level>
  <Opcode>1</Opcode>
  <Keywords>0x0</Keywords>
  <TimeCreated SystemTime="2014-10-30T09:51:21.274Z"/>
  <Correlation ActivityID="{00000000-0000-0000-977F-0080000000FD}"/>
  <Execution ProcessID="3872" ThreadID="3460"/>
  <Computer>KLPDSTCPH050V</Computer>
 </System>
 <EventData>
  <Data Name="ContextId">{00000000-0000-0000-977F-0080000000FD}</Data>
  <Data Name="SiteId">7</Data>
  <Data Name="AppPoolId">SafServiceAppPool</Data>
  <Data Name="ConnId">1610645394</Data>
  <Data Name="RawConnId">0</Data>
  <Data Name="RequestURL">http://server.company.domain/SAFService/SAFService.svc</Data>
  <Data Name="RequestVerb">POST</Data>
 </EventData>
 <RenderingInfo Culture="nb-NO">
  <Opcode>GENERAL_REQUEST_START</Opcode>
 </RenderingInfo>
 <ExtendedTracingInfo xmlns="http://schemas.microsoft.com/win/2004/08/events/trace">
  <EventGuid>{D42CF7EF-DE92-473E-8B6C-621EAADADE663113A}</EventGuid>
 </ExtendedTracingInfo>
</Event>
1 Solution

rune_hellem
Contributor

It turned out that all above is correct, but I was not aware of the need to restart Splunk - I did only

splunk reload deploy-server

So now when I checked a few days later, all was fine.

View solution in original post

0 Karma

rune_hellem
Contributor

It turned out that all above is correct, but I was not aware of the need to restart Splunk - I did only

splunk reload deploy-server

So now when I checked a few days later, all was fine.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...