<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic cs_uri_query into separate fileds when importing data in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/cs-uri-query-into-separate-fileds-when-importing-data/m-p/26149#M96649</link>
    <description>&lt;P&gt;I am doing a proof of concept with Splunk.&lt;/P&gt;

&lt;P&gt;When I import my data as IIS-2 log files splunk picks up the cs_username, cs_uri_query, cs_uri_stem etc but does not break up the query string into separate fields.&lt;/P&gt;

&lt;P&gt;When I import my data as a new data type splunk does not pick up the cs_username, cs_uri_query, cs_uri_stem etc but does create fields for each element in the query string.&lt;/P&gt;

&lt;P&gt;Is there a way I can get the cs_username, cs_uri_query, cs_uri_stem etc and the query sting broken up into separate fields?&lt;/P&gt;

&lt;P&gt;Thanks&lt;/P&gt;</description>
    <pubDate>Mon, 28 Sep 2020 13:50:56 GMT</pubDate>
    <dc:creator>DanielFordWA</dc:creator>
    <dc:date>2020-09-28T13:50:56Z</dc:date>
    <item>
      <title>cs_uri_query into separate fileds when importing data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/cs-uri-query-into-separate-fileds-when-importing-data/m-p/26149#M96649</link>
      <description>&lt;P&gt;I am doing a proof of concept with Splunk.&lt;/P&gt;

&lt;P&gt;When I import my data as IIS-2 log files splunk picks up the cs_username, cs_uri_query, cs_uri_stem etc but does not break up the query string into separate fields.&lt;/P&gt;

&lt;P&gt;When I import my data as a new data type splunk does not pick up the cs_username, cs_uri_query, cs_uri_stem etc but does create fields for each element in the query string.&lt;/P&gt;

&lt;P&gt;Is there a way I can get the cs_username, cs_uri_query, cs_uri_stem etc and the query sting broken up into separate fields?&lt;/P&gt;

&lt;P&gt;Thanks&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 13:50:56 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/cs-uri-query-into-separate-fileds-when-importing-data/m-p/26149#M96649</guid>
      <dc:creator>DanielFordWA</dc:creator>
      <dc:date>2020-09-28T13:50:56Z</dc:date>
    </item>
    <item>
      <title>Re: cs_uri_query into separate fileds when importing data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/cs-uri-query-into-separate-fileds-when-importing-data/m-p/26150#M96650</link>
      <description>&lt;P&gt;Splunk never MODIFIES any data it indexes unless you specifically tell it to, so I'm not sure what you mean by "breaking up" the events. Maybe you mean that while it's correctly extracting the fields, all you see is the raw data instead of seeing the fields in some kind of tabular format? In that case, it's just a matter of telling Splunk what fields you would like to see in your table. Something like this:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;&amp;lt;yourbasesearch&amp;gt; | table cs_username cs_uri_query cs_uri_stem ...
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 07 May 2013 15:14:36 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/cs-uri-query-into-separate-fileds-when-importing-data/m-p/26150#M96650</guid>
      <dc:creator>Ayn</dc:creator>
      <dc:date>2013-05-07T15:14:36Z</dc:date>
    </item>
    <item>
      <title>Re: cs_uri_query into separate fileds when importing data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/cs-uri-query-into-separate-fileds-when-importing-data/m-p/26151#M96651</link>
      <description>&lt;P&gt;The below query works with the custom import, this is because the cs_uri_query has been cut up into separate fields, it does not work when I import the log file as iis-2 format as the cs_uri_query is not cut up into fields.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;source="test.log" "rshact=docview" | stats count, values(docid) by dscaut docid
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;How would I edit the import features to cut up the cs_uri_query as it does with the custom import?&lt;/P&gt;

&lt;P&gt;..or am I way off the mark &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;

&lt;P&gt;Thanks,&lt;/P&gt;

&lt;P&gt;Dan&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 13:51:31 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/cs-uri-query-into-separate-fileds-when-importing-data/m-p/26151#M96651</guid>
      <dc:creator>DanielFordWA</dc:creator>
      <dc:date>2020-09-28T13:51:31Z</dc:date>
    </item>
    <item>
      <title>Re: cs_uri_query into separate fileds when importing data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/cs-uri-query-into-separate-fileds-when-importing-data/m-p/26152#M96652</link>
      <description>&lt;P&gt;Well, you might be, because I'm not really sure what you mean by "separate fields". A field in Splunk is something it extracts from the raw data. The raw data itself is never "cut up". Might you mean that the cs_uri_query field itself is never created? It might help if you included log samples and what your configuration looks like.&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 13:51:35 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/cs-uri-query-into-separate-fileds-when-importing-data/m-p/26152#M96652</guid>
      <dc:creator>Ayn</dc:creator>
      <dc:date>2020-09-28T13:51:35Z</dc:date>
    </item>
    <item>
      <title>Re: cs_uri_query into separate fileds when importing data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/cs-uri-query-into-separate-fileds-when-importing-data/m-p/26153#M96653</link>
      <description>&lt;P&gt;Hi Ayn,&lt;/P&gt;

&lt;P&gt;Thanks again for the reply, I have sent you a msg as the comments box is too small for the samle log and field examples&lt;/P&gt;</description>
      <pubDate>Wed, 08 May 2013 11:28:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/cs-uri-query-into-separate-fileds-when-importing-data/m-p/26153#M96653</guid>
      <dc:creator>DanielFordWA</dc:creator>
      <dc:date>2013-05-08T11:28:37Z</dc:date>
    </item>
    <item>
      <title>Re: cs_uri_query into separate fileds when importing data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/cs-uri-query-into-separate-fileds-when-importing-data/m-p/26154#M96654</link>
      <description>&lt;P&gt;I have found a solution. Simply add the below before the query&lt;/P&gt;

&lt;P&gt;sourcetype="iis-2" | extract auto=true &lt;/P&gt;

&lt;P&gt;It seems | extract auto=true will extract all the parameters from the cs_uri_query. &lt;/P&gt;

&lt;P&gt;I am not sure if this is the best way to do it, could it be done in the indexing stage?&lt;/P&gt;

&lt;P&gt;Thanks,&lt;/P&gt;

&lt;P&gt;Dan&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 13:52:36 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/cs-uri-query-into-separate-fileds-when-importing-data/m-p/26154#M96654</guid>
      <dc:creator>DanielFordWA</dc:creator>
      <dc:date>2020-09-28T13:52:36Z</dc:date>
    </item>
  </channel>
</rss>

