Dear all,
I'd like to filter IIS logs and forward only .aspx requests to Splunk.
I tried something like this:
[monitor://C:\inetpub\logs\LogFiles\*\*.log]
_TCP_ROUTING = default-autolb-group
disabled = 0
sourcetype=iis
whitelist = (\.aspx\s)
But the "whitelist" doesn't work and forwards all log lines to Splunk.
Could any one help me please?
Thanks for your attention.
Hi @saeidsaeidsaeid
The whilelist in inputs.conf is only for filtering based on filename. You will need to use this method to discard the non-asp events:
Since the [iis]
sourcetype uses index extractions, you should setup this props on the UF.
All the best.
I agree with what @chrisyoungerjds said. Also, you should be able to do the filtering that you need inside IIS because it has extensive logging configuration features. In fact, that is why INDEXED_EXTRACTIONS
was created (which is definitely the way that you should handle IIS) because your IIS admin could change the names/orders of the fields at any time. The whole explanation on your options can be found here:
https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad
Hi @saeidsaeidsaeid
The whilelist in inputs.conf is only for filtering based on filename. You will need to use this method to discard the non-asp events:
Since the [iis]
sourcetype uses index extractions, you should setup this props on the UF.
All the best.