Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is filtering IIS/Catalina sourcetype not working?

rashiagrawal
Loves-to-Learn Lots
‎02-16-2022 03:03 PM

Hi ,

I am facing a weird issue - where on a Splunk indexer I am trying to filter out log events using props and transforms file. 

I have noticed that filtering of log events works perfectly fine for sourcetypes which are not defined or do not exsist in Splunk default config. For example Okta, Jenkins,fluentd etc.

As soon as I try to filter IIS/Catalina sourcetype - it never works . 

For example this is my props - which is filtering journald sourcetype but not iis

Props 

[iis]
TRANSFORMS-routing = setnull

[journald]

TRANSFORMS-routing = setnull

Transforms 

[setnull]

REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-16-2022 03:15 PM

Do

splunk btool props list --debug

(Or "list props"; I can never remember the proper order of those)

And see what is the effective configuration for your sourcetype and where it's defined

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...