Splunk Search

How to filter IIS logs with regular expression?

markuxProof
Path Finder

Greetings,

I'm trying to make a regular expression to filter the IIS logs.
I want Splunk to index only logs whose sc-status field> = 500, but I'm not able to implement.

Can someone help me?

0 Karma
1 Solution

markuxProof
Path Finder

Guys, I think I already have it. I did the reverse. I have selected for exclusion records < 500

View solution in original post

0 Karma

markuxProof
Path Finder

Guys, I think I already have it. I did the reverse. I have selected for exclusion records < 500

0 Karma

markuxProof
Path Finder

Thanks @ Woodcock. That's what I needed.

0 Karma

markuxProof
Path Finder

For those with the same doubt, I did a regex that corresponds to http <500 status in IIS Logs:
([1-4]\d+|\b0\b)

woodcock
Esteemed Legend

Yes, you NullQueue the ones to drop with props.conf and transforms.conf.

aaraneta_splunk
Splunk Employee
Splunk Employee

@markuxProof - Was the above the solution to your question? Or were you just providing more context? If it's the former, let me know so I can convert it and accept it as an answer.

markuxProof
Path Finder

yes aaraneta, tks.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...