Splunk Search

IIS log comment removal not removing

lspringer
Path Finder

Splunk is not removing commented out fields beginning with a "#" in indexed IIS logs. Any assistance would be greatly appreciated.

I've added the following to my configs:

props.conf:

[iis-2]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
CHECK_FOR_HEADER = False
TZ = GMT
REPORT-iisw3cfields = iisw3cfields
TRANSFORMS-removecomments = removecomments

transforms.conf:

[removecomments]
REGEX = ^\#.*
DEST_KEY = queue
FORMAT = nullQueue

Sample log comments:

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2011-11-08 00:00:43
#Fields: date time s-computername s-ip cs-method cs-uri-stem cs-uri-query cs-username c-ip 
0 Karma
1 Solution

rturk
Builder

In your transforms.conf, you're escaping the hash (#) as though it were a special character (which is isn't - see HERE).

Here's a stanza from a transforms.conf that I used that seems to do what you're looking for:

[hash_comment]
REGEX           = ^#
DEST_KEY        = queue
FORMAT          = nullQueue

Let me know how you go 🙂

View solution in original post

0 Karma

lguinn2
Legend

Are you sure that your data is being indexed as iis-2? Since the iis format can vary, Splunk often assigns a different number to each iis input. So you could have iis-2 iis-3 etc. One way to address this is to make your transformation apply to all iis-based sourcetypes by changing your stanza in props.conf to

[iis*]

For more info on why the variations appear: IIS sourcetype variations

0 Karma

rturk
Builder

In your transforms.conf, you're escaping the hash (#) as though it were a special character (which is isn't - see HERE).

Here's a stanza from a transforms.conf that I used that seems to do what you're looking for:

[hash_comment]
REGEX           = ^#
DEST_KEY        = queue
FORMAT          = nullQueue

Let me know how you go 🙂

0 Karma

lspringer
Path Finder

I changed the regex to above and did the following to remove the existing commented fields:
sourcetype="iis-2" # | delete

They haven't come back since, thanks!

0 Karma

lspringer
Path Finder

I'm using the universal forwarder on a remote machine.The props.conf and transforms.conf are in the /opt/splunk/etc/system/local directory on the indexer.

0 Karma

lguinn2
Legend

Your props.conf and transforms.conf look good - thanks for the completeness of your post. But I have a few more questions: Where did you put the props.conf and the transforms.conf? On the indexer? On the forwarder? What kind of forwarder are you using?

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...