https://community.splunk.com/t5/Getting-Data-In/How-to-separate-IIS-logs-while-parsing/m-p/472357#M81181 <P>Hi Splunk Ninjas,</P> <P>We have different web portals for different purposes. I categorize them as internal and external web portal. <BR /> Now under the cs_host field I have different values but both type of values are pointing as one web portal<BR /> for example. <BR /> <STRONG>cs_host=<A href="http://www.abc.com" target="_blank">www.abc.com</A> dvc/host= 1.2.3.4(External)<BR /> cs_host=abc.com dvc/host= 1.2.3.4(Internal)<BR /> cs_host=abc dvc/host= 1.2.3.4(Internal)<BR /> cs_host=<A href="http://www.xyz.com" target="_blank">www.xyz.com</A> dvc/host= 1.2.3.4(External)<BR /> cs_host=xyz.com dvc/host= 1.2.3.4(Internal)<BR /> cs_host=xyz dvc/host= 1.2.3.4(External)</STRONG></P> <P>The idea comes in my mind to separate them based on either internal OR external<BR /> so if the cs_host=<A href="http://www.abc.com" target="_blank">www.abc.com</A> OR cs_host=<A href="http://www.xyz.com" target="_blank">www.xyz.com</A> <BR /> then there should be another field name web_portal=external<BR /> and if cs_host=abc.com|abc OR cs_host=xyz|xyz.com<BR /> the cs_host values should become abc|xyz.</P> Wed, 30 Sep 2020 02:46:40 GMT riqbal47010 2020-09-30T02:46:40Z https://community.splunk.com/t5/Getting-Data-In/How-to-separate-IIS-logs-while-parsing/m-p/472357#M81181 <P>Hi Splunk Ninjas,</P> <P>We have different web portals for different purposes. I categorize them as internal and external web portal. <BR /> Now under the cs_host field I have different values but both type of values are pointing as one web portal<BR /> for example. <BR /> <STRONG>cs_host=<A href="http://www.abc.com" target="_blank">www.abc.com</A> dvc/host= 1.2.3.4(External)<BR /> cs_host=abc.com dvc/host= 1.2.3.4(Internal)<BR /> cs_host=abc dvc/host= 1.2.3.4(Internal)<BR /> cs_host=<A href="http://www.xyz.com" target="_blank">www.xyz.com</A> dvc/host= 1.2.3.4(External)<BR /> cs_host=xyz.com dvc/host= 1.2.3.4(Internal)<BR /> cs_host=xyz dvc/host= 1.2.3.4(External)</STRONG></P> <P>The idea comes in my mind to separate them based on either internal OR external<BR /> so if the cs_host=<A href="http://www.abc.com" target="_blank">www.abc.com</A> OR cs_host=<A href="http://www.xyz.com" target="_blank">www.xyz.com</A> <BR /> then there should be another field name web_portal=external<BR /> and if cs_host=abc.com|abc OR cs_host=xyz|xyz.com<BR /> the cs_host values should become abc|xyz.</P> Wed, 30 Sep 2020 02:46:40 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-separate-IIS-logs-while-parsing/m-p/472357#M81181 riqbal47010 2020-09-30T02:46:40Z https://community.splunk.com/t5/Getting-Data-In/How-to-separate-IIS-logs-while-parsing/m-p/472358#M81182 <P>OR in simple can we achieve beow:</P> <P>if (cs_host = <A href="http://www.abc.com" target="_blank">www.abc.com</A> OR cs_host=<A href="http://www.xyz.com" target="_blank">www.xyz.com</A> OR cs_host="<A href="http://www.*%22" target="_blank">www.*"</A>), External, internal)</P> Wed, 30 Sep 2020 02:46:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-separate-IIS-logs-while-parsing/m-p/472358#M81182 riqbal47010 2020-09-30T02:46:43Z https://community.splunk.com/t5/Getting-Data-In/How-to-separate-IIS-logs-while-parsing/m-p/472359#M81183 <P>I suspect you need to use something from what Splunk call Knowledge Objects, there's a <A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/WhatisSplunkknowledge">document</A> all about them . I'm sure there were some sessions from <A href="https://splunkbase.splunk.com/app/3330/">past .conf's</A> that covered this. I think in a previous life (when Splunk was my main focus - I only dabble now) I found <A href="http://conf.splunk.com/session/2013/US73002_Using_Splunk_LincolnBowser_UnleasingthePowerofSplunkwithKnowledgeObjects.m4v">this session</A> useful. </P> Thu, 31 Oct 2019 09:37:47 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-separate-IIS-logs-while-parsing/m-p/472359#M81183 RHASQaL 2019-10-31T09:37:47Z https://community.splunk.com/t5/Getting-Data-In/How-to-separate-IIS-logs-while-parsing/m-p/472360#M81184 <P>Hi riqbal47010, </P> <P>beside <A href="https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Knowledge/definecalcfields" target="_blank">calculated fields</A> this would be achived best with a csv-file and an <A href="https://docs.splunk.com/Documentation/Splunk/7.3.2/Knowledge/Aboutlookupsandfieldactions" target="_blank">lookup</A>. </P> <P>You can define input fields (f.e. "cs_host") for different output fields (f.e. "web_portal") in your csv file and make that an (automatc) lookup. Wildcards and mutlple field combinations work aswell. For your needs something like should be a good start: </P> <PRE><CODE>"cs_host","web_portal" "xyz.com","external" "xyz.dev","internal" "*.dev","internal" </CODE></PRE> <P>If you have the lookup working make it automatic so it gets applied autoamticly to every search on the source/sourcetype or hosts. </P> <P>Greetings</P> Wed, 30 Sep 2020 02:47:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-separate-IIS-logs-while-parsing/m-p/472360#M81184 hgrow 2020-09-30T02:47:28Z https://community.splunk.com/t5/Getting-Data-In/How-to-separate-IIS-logs-while-parsing/m-p/472361#M81185 <P>dear Hgrow,</P> <P>This idea mekes sense to you. can you please help me to achieve this. furthermore can I expand this to f5.</P> Mon, 04 Nov 2019 12:23:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-separate-IIS-logs-while-parsing/m-p/472361#M81185 riqbal47010 2019-11-04T12:23:15Z