Hi,
I have the following IIS log:
2015-11-26 11:19:37 10.10.90.36 GET /webpl3/Handlers/ClientState/ClientState.ashx 0.06813673302531242&methodName=GetData&requestMode=1&csmg=f657d767-f8e6-46ea-a3d6-c6bd7ff68ee6 2600 6250447 83.220.237.124 Mozilla/5.0+(Linux;+Android+5.1.1;+D6603+Build/23.4.A.1.232;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Version/4.0+Chrome/46.0.2490.76+Mobile+Safari/537.36++PG_ANDROID_FXNET https://mt.iforex.com/webpl3/MobileMain.aspx?view=2 200 0 0 0
I'm trying to filter it out so Splunk wont index it and use my license.
What I did is:
Props.conf:
[sourcetype::iis]
TRANSFORMS-wmi=wminull9
Transforms.conf:
[wminull9]
REGEX = \[ClientState\]
DEST_KEY=queue
FORMAT=nullQueue
But it's not working and I still see this event on Splunk.
Can anyone help?
Thanks,
Rotem
Hi Rotema,
a few things that I can think of:
props.conf
should be [iis]
TRANSFORMS-wmi
could be not unique; try TRANSFORMS-wmiNullQueue=wminull9
REGEX = ClientState
because in your provided example there is no [
or ]
around ClientState
props.conf
and transforms.conf
on the Splunk instance where the events will be parsed, so either a heavy weight forwarder
or an indexer
Hope this helps ...
cheers, MuS