Hello Splunkers,
I've been working on filtering IIS events. What I need to keep is any event that contains auth.owa, then nullQueue the rest. I've been through the docs many times but something is missing. I've been able to send all events to nullQueue no problem but I've not been able to let the wanted events through.
This is the message I'm interested in:
2016-03-07 22:39:02 127.0.0.1 POST /OWA/auth.owa &CorrelationID=;&ClientId=AODTP0KGF0BGDQLLSW&cafeReqId=a5e157b9-047b-4e2d-a486-809dc938ed16; 443 foobar@xxx.yyy.com 127.0.0.1 AMProbe/Local/ClientAccess 200 0 0 62
Here's my props.conf file:
[source::...\\IISLogs\\...\\*]
TRANSFORMS-iis = iisbitbucket,iisauthonly
Transforms looks like this:
[iisbitbucket]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[iisauthonly]
REGEX = auth\.owa
DEST_KEY = queue
FORMAT = indexQueue
My gut is telling me I'm missing something fundamental here but I can't figure out what. I've tried all kinds of combinations of REGEX in the iisauthonly stanza but so far, nothing works. The results of this config is all messages are making it into the indexQueue. These conf files are located on the UFs which are Windows 2008 R2 servers. According to http://docs.splunk.com/Documentation/Splunk/6.2.3/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest
scroll to the bottom, structured data is filtered on the UF. Any ideas on what I'm missing?
↧