Getting Data In

Need to limit iis logs to 4xx and 5xx statuses in universal forwarder

agatesoftware
New Member

I am trying to limit the input of iis logs to only 4xx and 5xx vaqlues in the sc_status field. In the etc\system\local directory I have created an inputs.conf, props.conf. and transforms.conf files with the following entries. I have tried many variations of the REGEX entry in the transforms.conf but nothing seems to work. It is currently set to only get 4xx statuses. Please help

inputs.conf
[monitor://C:\inetpub\logs\LogFiles\W3SVC3]
disabled=false
followTail = 0
sourcetype=iis

props.conf
[iis]
TRANSFORMS-HttpErrorsOnly=HttpErrorsOnly

transforms.conf
[HttpErrorsOnly]
SOURCE_KEY=field:sc_status
REGEX=4[0-9][0-9]
DEST_KEY=queue
FORMAT=nullQueue

Tags (1)
0 Karma

jdhunter
Path Finder

Props and transforms will not parse the data on Universal Forwarders. See - https://answers.splunk.com/answers/27373/universal-forwarder-and-props-conf-and-transforms-conf.html

You might be able to use whitelist in inputs.conf. I have used this method for Windows event codes, but haven't done it on IIS logs.

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...