<div>
<div class="content wysiwyg-content fr-view">
I am a Splunk Administrator. Trying to exclude certain IIS logs codes before they are indexed. Already had tried modifying the props.conf and transforms.conf files adding a stanza with the field INDEXED_EXTRACTIONS and the nullQueue value: props.conf[iis_log_ex] INDEXED_EXTRACTIONS&nbsp;=&nbsp;w3c TRANSFORMS-throw_some_away=throw_some_away transforms.conf[throw_some_away] SOURCE_KEY&nbsp;=&nbsp;field:iis_status REGEX&nbsp;=&nbsp;200.0 DEST_KEY&nbsp;=&nbsp;queue FORMAT&nbsp;=&nbsp;nullQueue Something is not working, and I don't know what it is yet.I will appreciate the help.
</div>
</div>


I am a Splunk Administrator. Trying to exclude certain IIS logs codes before they are indexed. Already had tried modifying the props.conf and transforms.conf files adding a stanza with the field INDEXED_EXTRACTIONS and the nullQueue value:
props.conf
[iis_log_ex]
INDEXED_EXTRACTIONS = w3c
TRANSFORMS-throw_some_away=throw_some_away
transforms.conf
[throw_some_away]
SOURCE_KEY = field:iis_status
REGEX = 200.0
DEST_KEY = queue
FORMAT = nullQueue
Something is not working, and I don't know what it is yet.
I will appreciate the help.

Exclude IIS code status before indexed by Splunk

A regular expression ("regex") is a sequence of characters that define a search pattern, mainly for use in pattern matching with strings, or string matching, i.e. "find and replace"-like operations. Regular expression processors are found in several search engines, search and replace dialogs of several word processors and text editors, and in the command lines of text processing utilities, such as sed and AWK. Many programming languages provide regular expression capabilities, some built-in, for example Perl, JavaScript, Ruby, AWK, and Tcl, and others via a standard library, for example .NET languages, Java, Python and C++ (since C++11). Most other languages offer regular expressions via a library.