We are trying to parse or drop a number of fields on IIS Logs from our Exchange environment. I have done as much digging as I could and have found a forum post that tried to answer this exact question, but it is unfortunately not working. The forum post I found is:
https://answers.splunk.com/answers/118668/filter-iis-logs-before-indexing.html
The issue I am running into is when trying to send some IIS fields to either the nullQueue or to an empty string, it simply doesn't work. It should be easy enough to just send the Source Key to either of those, but for what ever reason, I can't get it to work.
Our environment is up to date on all components running 6.4.3.
****SAMPLE IIS log file from MS TechNet (is identical to our log format)****
#Software: Microsoft Internet Information Services 8.5
#Version: 1.0
#Date: 2002-05-02 17:42:15
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent)
2002-05-02 17:42:15 172.22.255.255 - 172.30.255.255 80 GET /images/picture.jpg - 200 Mozilla/4.0+(compatible;MSIE+5.5;+Windows+2000+Server)
Here is what I have setup on the UF where the IIS logs originate:
On the UF in $Splunk\etc\system\local
**props.conf**
[iis_extraction]
TRANSFORMS-throw_some_away=throw_some_away
I want to throw the cs-method field away, i.e. not index that field. So I want to either make it an empty string so Splunk will drop it, or I want to send it to the nullQueue.
On the UF in $Splunk\etc\system\local
**transforms.conf**
[throw_some_away]
SOURCE_KEY=field:cs-method
REGEX=.
FORMAT=
As a backup plan, we have some options, but it would be nice to be able to do it either here on the Universal Forwarder, or on a Heavy Forwarder before hitting the Indexers. As I understand it, according to the Splunk documentation, all transforms should occur for structured data before getting to the Indexer as INDEXED_EXTRACTIONS bypass the parsing, merging, and typing queues. I can't get that to work. I appreciate all the advice I have received getting to this point, so if you see this and have offered help, I thank you.
If anyone has any advice or clues as to why I am not seeing the parsing of this field, I would greatly appreciate any and all help!
↧