In our IIS logs, we are getting thousands of lines like below which is of no use in ingesting into Splunk. So want to exclude these and want to ingest only the lines which has strings with data after GET/POST /xxxx.
Exclude to ingest:
2017-05-23 09:03:05 10.211.23.14 GET / - 80 - 10.211.23.242 - - 200 0 0 0
2017-05-23 09:02:28 10.211.23.14 POST / - 80 - 10.211.23.241 - - 200 0 0 0
Include to ingest:
2017-05-23 09:00:41 10.211.23.14 GET /EnterpriseAddressService/V1/EnterpriseAddressService.svc wsdl=wsdl0 80 - 10.211.22.48 Java/1.7.0_25 - 200 0 0 0
2017-05-23 09:00:41 10.211.23.14 POST /EnterpriseAddressService/V1/EnterpriseAddressService.svc - 80 - 10.211.22.48 JAX-WS+RI+2.2.4-b01 - 200 0 0 171
Please let me how to create props and transforms for this? I have tried below but it didn't work.
props:
[sourcetype::test_iis]
TRANSFORMS-set = setnull
transforms:
[setnull]
REGEX = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} \d{1,3}.\d{1,3}.\d{1,3}.\d{1,3} GET [/] [-] 80 [-] \d{1,3}.\d{1,3}.\d{1,3}.\d{1,3} [-] [-] \d{1,3} \d{1,3} \d{1,3} \d{1,3}
DEST_KEY = queue
FORMAT = nullQueue
Below is my inputs.conf config:
[monitor://C:\temp\u*.log]
sourcetype = test_iis
index = testlog
disabled = 0
↧