Splunk Search

IIS log comment removal not removing

lspringer
Path Finder

Splunk is not removing commented out fields beginning with a "#" in indexed IIS logs. Any assistance would be greatly appreciated.

I've added the following to my configs:

props.conf:

[iis-2]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
CHECK_FOR_HEADER = False
TZ = GMT
REPORT-iisw3cfields = iisw3cfields
TRANSFORMS-removecomments = removecomments

transforms.conf:

[removecomments]
REGEX = ^\#.*
DEST_KEY = queue
FORMAT = nullQueue

Sample log comments:

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2011-11-08 00:00:43
#Fields: date time s-computername s-ip cs-method cs-uri-stem cs-uri-query cs-username c-ip 
0 Karma
1 Solution

rturk
Builder

In your transforms.conf, you're escaping the hash (#) as though it were a special character (which is isn't - see HERE).

Here's a stanza from a transforms.conf that I used that seems to do what you're looking for:

[hash_comment]
REGEX           = ^#
DEST_KEY        = queue
FORMAT          = nullQueue

Let me know how you go 🙂

View solution in original post

0 Karma

lguinn2
Legend

Are you sure that your data is being indexed as iis-2? Since the iis format can vary, Splunk often assigns a different number to each iis input. So you could have iis-2 iis-3 etc. One way to address this is to make your transformation apply to all iis-based sourcetypes by changing your stanza in props.conf to

[iis*]

For more info on why the variations appear: IIS sourcetype variations

0 Karma

rturk
Builder

In your transforms.conf, you're escaping the hash (#) as though it were a special character (which is isn't - see HERE).

Here's a stanza from a transforms.conf that I used that seems to do what you're looking for:

[hash_comment]
REGEX           = ^#
DEST_KEY        = queue
FORMAT          = nullQueue

Let me know how you go 🙂

0 Karma

lspringer
Path Finder

I changed the regex to above and did the following to remove the existing commented fields:
sourcetype="iis-2" # | delete

They haven't come back since, thanks!

0 Karma

lspringer
Path Finder

I'm using the universal forwarder on a remote machine.The props.conf and transforms.conf are in the /opt/splunk/etc/system/local directory on the indexer.

0 Karma

lguinn2
Legend

Your props.conf and transforms.conf look good - thanks for the completeness of your post. But I have a few more questions: Where did you put the props.conf and the transforms.conf? On the indexer? On the forwarder? What kind of forwarder are you using?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...