https://community.splunk.com/t5/Getting-Data-In/Ingest-IIS-Appcmd-into-table-visualization/m-p/441090#M76892 <P>I apologize if this has been asked before, I couldn't find it via the search/google/youtube. </P> <P>I'm outputting IIS AppPool/Site configurations to text file (One for AppPools, and one for Sites), and ingesting them into splunk. For the life of me I cannot figure out how to get this to format correctly in splunk, or what I need to do in order to put it in a readable format that I can use to compare 2 IIS Configs against each other in a table. I'll share a test config file that I made, and maybe someone can tell me how I should be formatting it.</P> <P>AppCmd does give you the option to export to XML, would this be an easier option for splunk to parse it correctly?</P> <PRE><CODE>SITE SITE.NAME:"Test" SITE.ID:"2" bindings:"http/*:80:*" state:"Started" [site] name:"Test" id:"2" serverAutoStart:"true" [bindings] [binding] protocol:"http" bindingInformation:"*:80:*" sslFlags:"0" [limits] maxBandwidth:"4294967295" maxConnections:"4294967295" connectionTimeout:"00:02:00" maxUrlSegments:"32" [logFile] logExtFileFlags:"Date, Time, ClientIP, UserName, ServerIP, Method, UriStem, UriQuery, HttpStatus, Win32Status, TimeTaken, ServerPort, UserAgent, Referer, HttpSubStatus" customLogPluginClsid:"" logFormat:"W3C" logTargetW3C:"File" directory:"C:\inetpub\logs\LogFiles" period:"Daily" truncateSize:"20971520" localTimeRollover:"false" enabled:"true" logSiteId:"true" flushByEntryCountW3CLog:"0" maxLogLineLength:"65536" [customFields] maxCustomFieldLength:"4096" [traceFailedRequestsLogging] enabled:"false" directory:"C:\inetpub\logs\FailedReqLogFiles" maxLogFiles:"50" maxLogFileSizeKB:"1024" customActionsEnabled:"false" [applicationDefaults] path:"" applicationPool:"" enabledProtocols:"http" serviceAutoStartEnabled:"false" serviceAutoStartProvider:"" preloadEnabled:"false" [virtualDirectoryDefaults] path:"" physicalPath:"" userName:"" password:"" logonMethod:"ClearText" allowSubDirConfig:"true" [ftpServer] allowUTF8:"true" serverAutoStart:"true" [connections] unauthenticatedTimeout:"30" controlChannelTimeout:"120" dataChannelTimeout:"30" disableSocketPooling:"false" serverListenBacklog:"60" minBytesPerSecond:"240" maxConnections:"4294967295" resetOnMaxConnections:"false" maxBandwidth:"4294967295" [security] [dataChannelSecurity] matchClientAddressForPort:"true" matchClientAddressForPasv:"true" [commandFiltering] maxCommandLine:"4096" allowUnlisted:"true" [ssl] serverCertHash:"" serverCertStoreName:"MY" ssl128:"false" controlChannelPolicy:"SslRequire" dataChannelPolicy:"SslRequire" [sslClientCertificates] clientCertificatePolicy:"CertIgnore" useActiveDirectoryMapping:"false" validationFlags:"" revocationFreshnessTime:"00:00:00" revocationUrlRetrievalTimeout:"00:01:00" [authentication] [anonymousAuthentication] enabled:"false" userName:"IUSR" password:"" defaultLogonDomain:"NT AUTHORITY" logonMethod:"ClearText" [basicAuthentication] enabled:"false" defaultLogonDomain:"" logonMethod:"ClearText" [clientCertAuthentication] </CODE></PRE> <P>Splunk seems to extract some fields in [ ], but not all of them, and for some reason it thinks the whole config is a single entry as well.</P> <P>Again, I apologize if this or a similar question has been asked. I'm relatively new to splunk. I appreciate and and all assistance.</P> <P>Thanks. </P> Thu, 14 Mar 2019 19:12:33 GMT phreakingjt 2019-03-14T19:12:33Z https://community.splunk.com/t5/Getting-Data-In/Ingest-IIS-Appcmd-into-table-visualization/m-p/441090#M76892 <P>I apologize if this has been asked before, I couldn't find it via the search/google/youtube. </P> <P>I'm outputting IIS AppPool/Site configurations to text file (One for AppPools, and one for Sites), and ingesting them into splunk. For the life of me I cannot figure out how to get this to format correctly in splunk, or what I need to do in order to put it in a readable format that I can use to compare 2 IIS Configs against each other in a table. I'll share a test config file that I made, and maybe someone can tell me how I should be formatting it.</P> <P>AppCmd does give you the option to export to XML, would this be an easier option for splunk to parse it correctly?</P> <PRE><CODE>SITE SITE.NAME:"Test" SITE.ID:"2" bindings:"http/*:80:*" state:"Started" [site] name:"Test" id:"2" serverAutoStart:"true" [bindings] [binding] protocol:"http" bindingInformation:"*:80:*" sslFlags:"0" [limits] maxBandwidth:"4294967295" maxConnections:"4294967295" connectionTimeout:"00:02:00" maxUrlSegments:"32" [logFile] logExtFileFlags:"Date, Time, ClientIP, UserName, ServerIP, Method, UriStem, UriQuery, HttpStatus, Win32Status, TimeTaken, ServerPort, UserAgent, Referer, HttpSubStatus" customLogPluginClsid:"" logFormat:"W3C" logTargetW3C:"File" directory:"C:\inetpub\logs\LogFiles" period:"Daily" truncateSize:"20971520" localTimeRollover:"false" enabled:"true" logSiteId:"true" flushByEntryCountW3CLog:"0" maxLogLineLength:"65536" [customFields] maxCustomFieldLength:"4096" [traceFailedRequestsLogging] enabled:"false" directory:"C:\inetpub\logs\FailedReqLogFiles" maxLogFiles:"50" maxLogFileSizeKB:"1024" customActionsEnabled:"false" [applicationDefaults] path:"" applicationPool:"" enabledProtocols:"http" serviceAutoStartEnabled:"false" serviceAutoStartProvider:"" preloadEnabled:"false" [virtualDirectoryDefaults] path:"" physicalPath:"" userName:"" password:"" logonMethod:"ClearText" allowSubDirConfig:"true" [ftpServer] allowUTF8:"true" serverAutoStart:"true" [connections] unauthenticatedTimeout:"30" controlChannelTimeout:"120" dataChannelTimeout:"30" disableSocketPooling:"false" serverListenBacklog:"60" minBytesPerSecond:"240" maxConnections:"4294967295" resetOnMaxConnections:"false" maxBandwidth:"4294967295" [security] [dataChannelSecurity] matchClientAddressForPort:"true" matchClientAddressForPasv:"true" [commandFiltering] maxCommandLine:"4096" allowUnlisted:"true" [ssl] serverCertHash:"" serverCertStoreName:"MY" ssl128:"false" controlChannelPolicy:"SslRequire" dataChannelPolicy:"SslRequire" [sslClientCertificates] clientCertificatePolicy:"CertIgnore" useActiveDirectoryMapping:"false" validationFlags:"" revocationFreshnessTime:"00:00:00" revocationUrlRetrievalTimeout:"00:01:00" [authentication] [anonymousAuthentication] enabled:"false" userName:"IUSR" password:"" defaultLogonDomain:"NT AUTHORITY" logonMethod:"ClearText" [basicAuthentication] enabled:"false" defaultLogonDomain:"" logonMethod:"ClearText" [clientCertAuthentication] </CODE></PRE> <P>Splunk seems to extract some fields in [ ], but not all of them, and for some reason it thinks the whole config is a single entry as well.</P> <P>Again, I apologize if this or a similar question has been asked. I'm relatively new to splunk. I appreciate and and all assistance.</P> <P>Thanks. </P> Thu, 14 Mar 2019 19:12:33 GMT https://community.splunk.com/t5/Getting-Data-In/Ingest-IIS-Appcmd-into-table-visualization/m-p/441090#M76892 phreakingjt 2019-03-14T19:12:33Z https://community.splunk.com/t5/Getting-Data-In/Ingest-IIS-Appcmd-into-table-visualization/m-p/441091#M76893 <P>I would suggest trying the output as XML, in order to get more logical parsing out of the box for Splunk. Your observation is correct... the whole config IS a single entry. You are trying to compare the fields in one entry with the fields in another entry.</P> Tue, 19 Mar 2019 13:07:26 GMT https://community.splunk.com/t5/Getting-Data-In/Ingest-IIS-Appcmd-into-table-visualization/m-p/441091#M76893 efavreau 2019-03-19T13:07:26Z