I am trying to limit the input of iis logs to only 4xx and 5xx vaqlues in the sc_status field. In the etc\system\local directory I have created an inputs.conf, props.conf. and transforms.conf files with the following entries. I have tried many variations of the REGEX entry in the transforms.conf but nothing seems to work. It is currently set to only get 4xx statuses. Please help
inputs.conf
[monitor://C:\inetpub\logs\LogFiles\W3SVC3]
disabled=false
followTail = 0
sourcetype=iis
props.conf
[iis]
TRANSFORMS-HttpErrorsOnly=HttpErrorsOnly
transforms.conf
[HttpErrorsOnly]
SOURCE_KEY=field:sc_status
REGEX=4[0-9][0-9]
DEST_KEY=queue
FORMAT=nullQueue
↧