The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkAdministration: How to index only certain events from IIS weblogs?

Previous Topic: File Integrity gid=-1, uid=-1 on Windows  |   Next Topic: Pushing Windows inputs to a different index?


Posts 1–2 of 2
1
posted by: przygode  |  posts
date: March 17, 2010
permalink

I want to index only 404s and 500 errors from particular IIS log files. I have the following in props.conf.

[iis-6]
REPORT-AutoHeader = AutoHeader-5
TZ = UTC
TRANSFORMS-set= setnull,setparsing

in my transforms.conf i have.

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX=(?m)sc_status=404
DEST_KEY = queue
FORMAT = indexQueue

It seems to get tripped up by the sc_status=404. If i just have REGEX=404 then it works, however, with a lot of other noise.

This configuration is running on a SplunkForwarder.

Thx.

2
posted by: gkanapathy  |  posts
date: March 17, 2010
permalink

Almost certainly the string `sc_status=404` is never actually in your IIS log file. The REGEX must actually match the raw text of your event, as fields are not extracted and assigned at index time. This means you'll probably need something like:

REGEX=^\S+\s+\S+\s+\S+\s+404\s+

or however many repetitions of \S+\s+ to get to the right place in the log line where the field is located.

Please see: http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F
if you'd like to understand why.