Franklin Catoni
asked on
Exclude IIS code status before indexed by Splunk
I am a Splunk Administrator. Trying to exclude certain IIS logs codes before they are indexed. Already had tried modifying the props.conf and transforms.conf files adding a stanza with the field INDEXED_EXTRACTIONS and the nullQueue value:
props.conf
[iis_log_ex]
INDEXED_EXTRACTIONS = w3c
TRANSFORMS-throw_some_away=throw_some_away
transforms.conf
[throw_some_away]
SOURCE_KEY = field:iis_status
REGEX = 200.0
DEST_KEY = queue
FORMAT = nullQueue
Something is not working, and I don't know what it is yet.
I will appreciate the help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.