Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need to limit iis logs to 4xx and 5xx statuses in universal forwarder

agatesoftware
New Member
‎10-15-2019 01:14 PM

I am trying to limit the input of iis logs to only 4xx and 5xx vaqlues in the sc_status field. In the etc\system\local directory I have created an inputs.conf, props.conf. and transforms.conf files with the following entries. I have tried many variations of the REGEX entry in the transforms.conf but nothing seems to work. It is currently set to only get 4xx statuses. Please help

inputs.conf
[monitor://C:\inetpub\logs\LogFiles\W3SVC3]
disabled=false
followTail = 0
sourcetype=iis

props.conf
[iis]
TRANSFORMS-HttpErrorsOnly=HttpErrorsOnly

transforms.conf
[HttpErrorsOnly]
SOURCE_KEY=field:sc_status
REGEX=4[0-9][0-9]
DEST_KEY=queue
FORMAT=nullQueue

Tags (1)
0 Karma
Reply

jdhunter
Path Finder
‎10-15-2019 02:21 PM

Props and transforms will not parse the data on Universal Forwarders. See - https://answers.splunk.com/answers/27373/universal-forwarder-and-props-conf-and-transforms-conf.html

You might be able to use whitelist in inputs.conf. I have used this method for Windows event codes, but haven't done it on IIS logs.

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...