Solved: How to filter IIS logs with regular expression?

markuxProof · ‎02-17-2017

Greetings,

I'm trying to make a regular expression to filter the IIS logs.
I want Splunk to index only logs whose sc-status field> = 500, but I'm not able to implement.

Can someone help me?

markuxProof · ‎02-17-2017

Guys, I think I already have it. I did the reverse. I have selected for exclusion records < 500

View solution in original post

markuxProof · ‎02-17-2017

Guys, I think I already have it. I did the reverse. I have selected for exclusion records < 500

markuxProof · ‎02-20-2017

Thanks @ Woodcock. That's what I needed.

markuxProof · ‎02-22-2017

For those with the same doubt, I did a regex that corresponds to http <500 status in IIS Logs:
([1-4]\d+|\b0\b)

woodcock · ‎02-18-2017

Yes, you NullQueue the ones to drop with props.conf and transforms.conf.

aaraneta_splunk · ‎02-17-2017

@markuxProof - Was the above the solution to your question? Or were you just providing more context? If it's the former, let me know so I can convert it and accept it as an answer.

markuxProof · ‎02-20-2017

yes aaraneta, tks.

How to filter IIS logs with regular expression?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation