Splunk Search

How to filter IIS logs with regular expression?

Path Finder

Greetings,

I'm trying to make a regular expression to filter the IIS logs.
I want Splunk to index only logs whose sc-status field> = 500, but I'm not able to implement.

Can someone help me?

0 Karma
1 Solution

Path Finder

Guys, I think I already have it. I did the reverse. I have selected for exclusion records < 500

View solution in original post

0 Karma

Path Finder

Guys, I think I already have it. I did the reverse. I have selected for exclusion records < 500

View solution in original post

0 Karma

Path Finder

Thanks @ Woodcock. That's what I needed.

0 Karma

Path Finder

For those with the same doubt, I did a regex that corresponds to http <500 status in IIS Logs:
([1-4]\d+|\b0\b)

Esteemed Legend

Yes, you NullQueue the ones to drop with props.conf and transforms.conf.

Splunk Employee
Splunk Employee

@markuxProof - Was the above the solution to your question? Or were you just providing more context? If it's the former, let me know so I can convert it and accept it as an answer.

Path Finder

yes aaraneta, tks.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!