Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk 6 - IIS nullQueue

rtafoya
Explorer
‎02-19-2014 01:17 PM

I'm trying to route certain IIS logs to the nullQueue but it doesn't seem to be working.
the IIS log entry looks like this:

2014-02-19 20:31:06 W3SVC1 Server1 10.10.10.1 GET /login.aspx - 80 - 10.10.1.1 HTTP/1.1 HTTP_monitor/10.0 - - websitelogin.com 200 0 0 5212 87 15

On my Indexer, I have setup /etc/system/local/props.conf like this:

[iis*]
TRANSFORMS-set = dropHTTPmonitor

Then I have /etc/system/local/transforms.conf like this:

[dropHTTPmonitor]
REGEX = (10\.10\.1\.1).*(HTTP_monitor\/10\.0)
DEST_KEY = queue
FORMAT = nullQueue

Restarted splunkd and splunk is still not dropping the events as I think it should. I tried simplifying the regex down to just (HTTP_monitor) and that didn't seem to work either.

Any ideas? (Splunk Enterprise 6.0.1 and universial forwarder 6.0.1-189883 (x64))

Tags (3)
0 Karma
Reply

cdupuis123
Path Finder
‎09-22-2014 01:00 PM

rtafoya you ever figure this out? I'm have the same type issue trying to nullQueue some load balancer noise out of the indexer. thanks!

0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎02-19-2014 01:46 PM

Just know that it will only drop newly added events. The old events with that log line will still be there unless you add the role of Can_Delete and run a search to

* HTTP_monitor | delete
0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎02-19-2014 02:28 PM

Does my suggestion above work?

0 Karma
Reply

rtafoya
Explorer
‎02-19-2014 02:26 PM

Thanks. Yes, I am aware that the already indexed events will not be dropped.

0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎02-19-2014 01:44 PM

Just this?

[dropHTTPmonitor]
REGEX = HTTP_monitor
DEST_KEY = queue
FORMAT = nullQueue
0 Karma
Reply

rtafoya
Explorer
‎02-20-2014 02:50 PM

Unfortunately, I had to resort to setting sourcetype on the forwarder to "iisw3c" then setup props.conf and transforms.conf like I did IIS in splunk 5. I really wish i could get the nullQueue transform working with the Splunk 6 "INDEXED_EXTRACTIONS".

0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎02-20-2014 08:21 AM

You have complete control over any given sourcetype so to make it easier I always start with not using IIS since that is one of the default source types for Splunk. Further, once you have control over your sourcetype then you can do any preferred field extractions the way you want and your nullqueue will be fine.

0 Karma
Reply

rtafoya
Explorer
‎02-20-2014 07:36 AM

How would I go about changing this in Splunk 6? the Default props.conf has the INDEXED_EXTRACTIONS setting. Do I just place a [iis] stanza in my local props.conf and set everything as i did with Splunk 5x iis extractions?

0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎02-19-2014 02:53 PM

Oh, did not know you were getting your header info that way. Try the 5.x method using either DELIMS or just plain old EXTRACT or a REPORT with props and transforms and see if that works.

0 Karma
Reply

rtafoya
Explorer
‎02-19-2014 02:31 PM

I tried using the regex you suggested above, but that did not work.
Maybe this has to do with the new INDEXED_EXTRACTIONS settings for iis in Splunk 6.0?

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...