Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Platform
- :
- Splunk Cloud Platform
- :
- can not get transforms to work
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I can not get transforms to work. I have read a lot of posts but it seams I'm missing something.
i want to use the Microsoft IIS Add on. I have installed it in the Splunk farm. Now there are some Events I do not need and want them excluded from indexing.
I have added /opt/splunk/etc/manager-apps/Splunk_TA_microsoft-iis/local/props.conf
[ms:iis:auto]
TRANSFORMS-remove_healthcheck = remove_health_check
TRANSFORMS-remove_aes = remove_active_syncand /opt/splunk/etc/manager-apps/Splunk_TA_microsoft-iis/local/transforms.conf
[remove_health_check]
REGEX = .*healthcheck.htm.*
DEST_KEY = queue
FORMAT = nullQueue
[remove_active_sync]
REGEX = .*Microsoft-Server-ActiveSync.*
DEST_KEY = queue
FORMAT = nullQueueand the redeployed the bundle with
../bin/splunk apply cluster-bundle --answer-yes
WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details.
Created new bundle with checksum=8F0F556530244F68D99DC60D00CBB8CD
Applying new bundle. The peers may restart depending on the configurations in applied bundle.
Please run 'splunk show cluster-bundle-status' for checking the status of the applied bundle.
OK
../bin/splunk show cluster-bundle-status
WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details.
master
cluster_status=None
active_bundle
checksum=8F0F556530244F68D99DC60D00CBB8CD
timestamp=1762857886 (in localtime=Tue Nov 11 10:44:46 2025)
latest_bundle
checksum=8F0F556530244F68D99DC60D00CBB8CD
timestamp=1762857886 (in localtime=Tue Nov 11 10:44:46 2025)
last_validated_bundle
checksum=8F0F556530244F68D99DC60D00CBB8CD
last_validation_succeeded=1
timestamp=1762857886 (in localtime=Tue Nov 11 10:44:46 2025)
last_check_restart_bundle
last_check_restart_result=restart not required
checksum=
timestamp=0 (in localtime=Thu Jan 1 00:00:00 1970)
splunkindexcn3 749BF3E2-CAA8-442F-9957-9A8BCD34C35C default
active_bundle=8F0F556530244F68D99DC60D00CBB8CD
latest_bundle=8F0F556530244F68D99DC60D00CBB8CD
last_validated_bundle=8F0F556530244F68D99DC60D00CBB8CD
last_bundle_validation_status=success
restart_required_apply_bundle=0
status=Up
splunkindexcn1 74C24C34-8967-4D87-B0EF-F71B0E3DB18C default
active_bundle=8F0F556530244F68D99DC60D00CBB8CD
latest_bundle=8F0F556530244F68D99DC60D00CBB8CD
last_validated_bundle=8F0F556530244F68D99DC60D00CBB8CD
last_bundle_validation_status=success
restart_required_apply_bundle=0
status=Up
splunkindexcn2 D376D738-D61B-4F92-A685-C8D546798D55 default
active_bundle=8F0F556530244F68D99DC60D00CBB8CD
latest_bundle=8F0F556530244F68D99DC60D00CBB8CD
last_validated_bundle=8F0F556530244F68D99DC60D00CBB8CD
last_bundle_validation_status=success
restart_required_apply_bundle=0
status=Up
../bin/splunk rolling-restart cluster-peers
But the Events are still in the search.
I am new to Splunk and we set up the Farm with a Consultant but now i want to make changes on my own. Is there a Log where i can see if the transforms getting called oder something else.
Here are the Event i want to get rid off:
2025-11-10 23:59:54 Server IP POST /Microsoft-Server-ActiveSync/default.eas Cmd=Ping&User=blablabla...
2025-11-10 23:59:55 Server IP GET /mapi/healthcheck.htm - 443 - IP HTTP/1.0 - - IP:443 200 0 0 4 - - on
I hope someone can give me a hint where to look.
best regards Domi
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's a tricky case. As far as I remember, the IIS logs are ingested with INDEXED_EXTRACTIONS enabled. That means that events are processed at the initial UF, the fields are extracted as indexed fields and the data is sent to output(s) as already parsed.
That means that it is not processed by most of the ingestion pipeline in subsequent components. That in turn means that the events won't trigger the transforms at all. So it's not that you're misconfiguring something.
There are two was of dealing with that.
1) Reconfigure the input receiving the data from the UF to send data to parsing queue again. But this is a highly unusual configuration, confusing in long time maintenance and I would strongly advise against it.
2) Instead of transforms use ruleset. This will get fired even on already parsed data.
One caveat about indexed fields though. Since you get indexed fields, manipulating raw event won't remove already extracted fields. If you wanted to get rid of them you'd have to explicitly "unset" them. Luckily in your case I see you only want to drop selected events to nullQueue. That should be perfectly doable.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's a tricky case. As far as I remember, the IIS logs are ingested with INDEXED_EXTRACTIONS enabled. That means that events are processed at the initial UF, the fields are extracted as indexed fields and the data is sent to output(s) as already parsed.
That means that it is not processed by most of the ingestion pipeline in subsequent components. That in turn means that the events won't trigger the transforms at all. So it's not that you're misconfiguring something.
There are two was of dealing with that.
1) Reconfigure the input receiving the data from the UF to send data to parsing queue again. But this is a highly unusual configuration, confusing in long time maintenance and I would strongly advise against it.
2) Instead of transforms use ruleset. This will get fired even on already parsed data.
One caveat about indexed fields though. Since you get indexed fields, manipulating raw event won't remove already extracted fields. If you wanted to get rid of them you'd have to explicitly "unset" them. Luckily in your case I see you only want to drop selected events to nullQueue. That should be perfectly doable.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello PickelRick,
thank you for your insight and explanation. I managed to solve my problem with a ruleset.
best regards
Domi
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @domi
I see that you are deploying this configuration to your indexers/peers but wanted to check - are you ingesting this data via a Universal Forwarder or a Heavy Forwarder? Or is the data passing through a Heavy Forwarder before reaching your indexers? If so you will need to ensure that these props/transforms are also put on the Heavy forwarder.
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi livehybrid,
thank you for the reply.
the data is coming directly from the Exchange Servers with installed Universal Forwarder. We do not use HFs.
Do i have to put the props and transports config also on the search heads? Or do i have to toggle a switch to enable processing of the custom config?
i do not know where to look
best regards
Domi
Splunk Mobile: Your Brand-New Home Screen
Introducing Value Insights (Beta): Understand the Business Impact your organization ...
Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...
