Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure regex for transforms.conf and props.conf to send specified IIS data to nullQueue?

cdupuis123
Path Finder
‎09-17-2014 01:17 PM

Trying to dump off what seems like a simple thing to do from raw iis logs.

just want to not allow this to index: cs_uri_stem = /CLBOnline/AppOnline

my props.conf is
[iis]
TRANSFORMS-set = setnull1

my transforms.conf is

bit bucket for IIS

[setnull1]
REGEX=\/CLBOnline\/AppOnline

DEST_KEY = queue
FORMAT = nullQueue

I'm running Splunk 6.1

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

cdupuis123
Path Finder
‎09-29-2014 11:50 AM

Update apparently in Splunk v6 we can now transform IIS, & csv logs on the Universal Forwarder! News to me. Next hurtle (for me) was getting it to work on the UF, as it would work fine in the etc\system\local (not possible I think from a deployment server) but wouldn't work in the app directory. My SE pointed out the fact that I needed to basically declare in the app metadata directory add to the default.meta:
[props]
export = system
[transforms]
export = system

I've learned something new, and hope others figured this out faster than I!!!! Regardless it's documented now.

Thanks Jeff

View solution in original post

Reply
Solved! Jump to solution
Solution

cdupuis123
Path Finder
‎09-29-2014 11:50 AM

Update apparently in Splunk v6 we can now transform IIS, & csv logs on the Universal Forwarder! News to me. Next hurtle (for me) was getting it to work on the UF, as it would work fine in the etc\system\local (not possible I think from a deployment server) but wouldn't work in the app directory. My SE pointed out the fact that I needed to basically declare in the app metadata directory add to the default.meta:
[props]
export = system
[transforms]
export = system

I've learned something new, and hope others figured this out faster than I!!!! Regardless it's documented now.

Thanks Jeff

Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎09-17-2014 02:13 PM

Can you confirm that your sourcetype is correctly set to iis? I had this problem and found it was being set to iis-2.

0 Karma
Reply
Solved! Jump to solution

cdupuis123
Path Finder
‎09-17-2014 04:05 PM

ya I figured that out martin, thanks regex is still stumping me....

0 Karma
Reply
Solved! Jump to solution

cdupuis123
Path Finder
‎09-17-2014 03:43 PM

Maybe that's my issue, I'm pumping these IIS logs into an iis index, when I search index=iis the sourcetype of iis comes back, but when I search sourcetype=iis I get nothing?????

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-17-2014 04:02 PM

That's likely due to the iis index not being listed in your user's role's "indexes searched by default", so when not specifying an index in the search it probably just looks in the main index.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...