I'm trying to route certain IIS logs to the nullQueue but it doesn't seem to be working.
the IIS log entry looks like this:
2014-02-19 20:31:06 W3SVC1 Server1 10.10.10.1 GET /login.aspx - 80 - 10.10.1.1 HTTP/1.1 HTTP_monitor/10.0 - - websitelogin.com 200 0 0 5212 87 15
On my Indexer, I have setup /etc/system/local/props.conf like this:
[iis*] TRANSFORMS-set = dropHTTPmonitor
Then I have /etc/system/local/transforms.conf like this:
[dropHTTPmonitor] REGEX = (10\.10\.1\.1).*(HTTP_monitor\/10\.0) DEST_KEY = queue FORMAT = nullQueue
Restarted splunkd and splunk is still not dropping the events as I think it should. I tried simplifying the regex down to just (HTTP_monitor) and that didn't seem to work either.
Any ideas? (Splunk Enterprise 6.0.1 and universial forwarder 6.0.1-189883 (x64))
Just know that it will only drop newly added events. The old events with that log line will still be there unless you add the role of Can_Delete and run a search to
* HTTP_monitor | delete
Unfortunately, I had to resort to setting sourcetype on the forwarder to "iisw3c" then setup props.conf and transforms.conf like I did IIS in splunk 5. I really wish i could get the nullQueue transform working with the Splunk 6 "INDEXED_EXTRACTIONS".
You have complete control over any given sourcetype so to make it easier I always start with not using IIS since that is one of the default source types for Splunk. Further, once you have control over your sourcetype then you can do any preferred field extractions the way you want and your nullqueue will be fine.
How would I go about changing this in Splunk 6? the Default props.conf has the INDEXED_EXTRACTIONS setting. Do I just place a [iis] stanza in my local props.conf and set everything as i did with Splunk 5x iis extractions?
Oh, did not know you were getting your header info that way. Try the 5.x method using either DELIMS or just plain old EXTRACT or a REPORT with props and transforms and see if that works.