Solved: How to filter IIS logs with regular expression?

markuxProof · ‎02-17-2017

Greetings,

I'm trying to make a regular expression to filter the IIS logs.
I want Splunk to index only logs whose sc-status field> = 500, but I'm not able to implement.

Can someone help me?

markuxProof · ‎02-17-2017

Guys, I think I already have it. I did the reverse. I have selected for exclusion records < 500

View solution in original post

markuxProof · ‎02-17-2017

Guys, I think I already have it. I did the reverse. I have selected for exclusion records < 500

markuxProof · ‎02-20-2017

Thanks @ Woodcock. That's what I needed.

markuxProof · ‎02-22-2017

For those with the same doubt, I did a regex that corresponds to http <500 status in IIS Logs:
([1-4]\d+|\b0\b)

woodcock · ‎02-18-2017

Yes, you NullQueue the ones to drop with props.conf and transforms.conf.

aaraneta_splunk · ‎02-17-2017

@markuxProof - Was the above the solution to your question? Or were you just providing more context? If it's the former, let me know so I can convert it and accept it as an answer.

markuxProof · ‎02-20-2017

yes aaraneta, tks.

How to filter IIS logs with regular expression?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!