Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is my props.conf and transforms.conf configuration not filtering out IIS logs as expected?

Rotema
Path Finder
‎11-26-2015 03:22 AM

Hi,

I have the following IIS log:

2015-11-26 11:19:37 10.10.90.36 GET /webpl3/Handlers/ClientState/ClientState.ashx 0.06813673302531242&methodName=GetData&requestMode=1&csmg=f657d767-f8e6-46ea-a3d6-c6bd7ff68ee6 2600 6250447 83.220.237.124 Mozilla/5.0+(Linux;+Android+5.1.1;+D6603+Build/23.4.A.1.232;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Version/4.0+Chrome/46.0.2490.76+Mobile+Safari/537.36++PG_ANDROID_FXNET https://mt.iforex.com/webpl3/MobileMain.aspx?view=2 200 0 0 0

I'm trying to filter it out so Splunk wont index it and use my license.

What I did is:

Props.conf:

[sourcetype::iis]
TRANSFORMS-wmi=wminull9

Transforms.conf:
[wminull9]

REGEX = \[ClientState\]
DEST_KEY=queue
FORMAT=nullQueue

But it's not working and I still see this event on Splunk.

Can anyone help?

Thanks,
Rotem

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎11-30-2015 05:46 PM

Hi Rotema,

a few things that I can think of:

  • the stanza in your props.conf should be [iis]
  • Your TRANSFORMS-wmi could be not unique; try TRANSFORMS-wmiNullQueue=wminull9
  • Your regex does not match; try REGEX = ClientState because in your provided example there is no [ or ] around ClientState
  • Put your props.conf and transforms.conf on the Splunk instance where the events will be parsed, so either a heavy weight forwarder or an indexer
  • Restart Splunk

Hope this helps ...

cheers, MuS

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...