Why is my props.conf and transforms.conf configura...

Rotema · ‎11-26-2015

Hi,

I have the following IIS log:

2015-11-26 11:19:37 10.10.90.36 GET /webpl3/Handlers/ClientState/ClientState.ashx 0.06813673302531242&methodName=GetData&requestMode=1&csmg=f657d767-f8e6-46ea-a3d6-c6bd7ff68ee6 2600 6250447 83.220.237.124 Mozilla/5.0+(Linux;+Android+5.1.1;+D6603+Build/23.4.A.1.232;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Version/4.0+Chrome/46.0.2490.76+Mobile+Safari/537.36++PG_ANDROID_FXNET https://mt.iforex.com/webpl3/MobileMain.aspx?view=2 200 0 0 0

I'm trying to filter it out so Splunk wont index it and use my license.

What I did is:

Props.conf:

[sourcetype::iis]
TRANSFORMS-wmi=wminull9

Transforms.conf:
[wminull9]

REGEX = \[ClientState\]
DEST_KEY=queue
FORMAT=nullQueue

But it's not working and I still see this event on Splunk.

Can anyone help?

Thanks,
Rotem

MuS · ‎11-30-2015

Hi Rotema,

a few things that I can think of:

the stanza in your props.conf should be [iis]
Your TRANSFORMS-wmi could be not unique; try TRANSFORMS-wmiNullQueue=wminull9
Your regex does not match; try REGEX = ClientState because in your provided example there is no [ or ] around ClientState
Put your props.conf and transforms.conf on the Splunk instance where the events will be parsed, so either a heavy weight forwarder or an indexer
Restart Splunk

Hope this helps ...

cheers, MuS

Why is my props.conf and transforms.conf configuration not filtering out IIS logs as expected?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life