topic Re: how to use Extracting fields from Microsoft Internet Authentication Service (IAS) APP? in Splunk Search https://community.splunk.com/t5/Splunk-Search/how-to-use-Extracting-fields-from-Microsoft-Internet/m-p/52764#M12843 <P>This App does need some documentation. The App is looking for data that has a sourcetype of "ias" and builds field extractions for you. Make sure that you assign the sourcetype to your data in the Manager--&gt;Data Inputs or in the inputs.conf file. Here is an examples:</P> <P>[monitor://C:\Program Files\ias\logs] # your path will be different and you might be using a Forwarder<BR /> sourcetype = ias</P> <P>Now when you look in the /ias/default directory there is a props.conf and transforms.conf file. The props.conf is looking for any data that has a sourcetype=ias and the transforms.conf is creating the field extractions. </P> <P>After enabling this App and making sure that your sourcetype is set to ias then you should have additional field extractions as "Interesting fields" in Splunk. </P> Mon, 03 Dec 2012 22:25:12 GMT tgow 2012-12-03T22:25:12Z how to use Extracting fields from Microsoft Internet Authentication Service (IAS) APP? https://community.splunk.com/t5/Splunk-Search/how-to-use-Extracting-fields-from-Microsoft-Internet/m-p/52763#M12842 <P>Since there is no documentation how to use this APP, I would like to know how to set it up and getting data in? Do I need to set up a splunkUniversalForwarder in my IAS server or else?</P> Mon, 03 Dec 2012 21:52:10 GMT https://community.splunk.com/t5/Splunk-Search/how-to-use-Extracting-fields-from-Microsoft-Internet/m-p/52763#M12842 jimzzhou 2012-12-03T21:52:10Z Re: how to use Extracting fields from Microsoft Internet Authentication Service (IAS) APP? https://community.splunk.com/t5/Splunk-Search/how-to-use-Extracting-fields-from-Microsoft-Internet/m-p/52764#M12843 <P>This App does need some documentation. The App is looking for data that has a sourcetype of "ias" and builds field extractions for you. Make sure that you assign the sourcetype to your data in the Manager--&gt;Data Inputs or in the inputs.conf file. Here is an examples:</P> <P>[monitor://C:\Program Files\ias\logs] # your path will be different and you might be using a Forwarder<BR /> sourcetype = ias</P> <P>Now when you look in the /ias/default directory there is a props.conf and transforms.conf file. The props.conf is looking for any data that has a sourcetype=ias and the transforms.conf is creating the field extractions. </P> <P>After enabling this App and making sure that your sourcetype is set to ias then you should have additional field extractions as "Interesting fields" in Splunk. </P> Mon, 03 Dec 2012 22:25:12 GMT https://community.splunk.com/t5/Splunk-Search/how-to-use-Extracting-fields-from-Microsoft-Internet/m-p/52764#M12843 tgow 2012-12-03T22:25:12Z Re: how to use Extracting fields from Microsoft Internet Authentication Service (IAS) APP? https://community.splunk.com/t5/Splunk-Search/how-to-use-Extracting-fields-from-Microsoft-Internet/m-p/52765#M12844 <P>I am getting data in but they are all garble messages. I am using NPS not IAS. Do I need to modify the Pros.conf and transforms.com codes?</P> <P>this is the log format.</P> <P>"HEAP","IAS",11/12/2012,00:00:39,1,"SSAGadmin","ERN\SSAGadmin","00-90-0B-0A-9D-A4:NGSTV224","84-4B-F5-5C-21-35",,,,"172.20.166.15",2050,0,"172.20.166.15","Wireless APs",,,19,"CONNECT 802.11g",,,5,,0,"311 1 fe80::819c:f313:6bc7:f05c 10/24/2012 01:00:02 3624203",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Noc_Admin_Access",1,,,,<BR /> "HEAP","IAS",11/12/2012,00:00:39,3,,"ERN\SSAGadmin",,,,,,,,0,"172.20.166.15","Wireless APs",,,,,,,5,,8,"311 1 fe80::819c:f313:6bc7:f05c 10/24/2012 01:00:02 3624203",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Noc_Admin_Access",1,,,,</P> <P>This is the splunk ias output message.<BR /> -splunk-cooked-mode-v3--\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00heap\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x008089\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00\x1\x00\x00\x00\x13__s2s_capabilities\x00\x00\x00\x00\x14ack=0;compression=0\x00\x00\x00\x00\x00\x00\x00\x00\x5_raw\x00</P> Mon, 28 Sep 2020 12:54:36 GMT https://community.splunk.com/t5/Splunk-Search/how-to-use-Extracting-fields-from-Microsoft-Internet/m-p/52765#M12844 jimzzhou 2020-09-28T12:54:36Z Re: how to use Extracting fields from Microsoft Internet Authentication Service (IAS) APP? https://community.splunk.com/t5/Splunk-Search/how-to-use-Extracting-fields-from-Microsoft-Internet/m-p/52766#M12845 <P>jimzzhou - what you are looking at there is 'cooked' data. If you would prefer to see it native then just add or edit the exisitng line in your outputs.conf to sendCookedData=False<BR /> Br<BR /> D</P> Tue, 04 Dec 2012 16:51:59 GMT https://community.splunk.com/t5/Splunk-Search/how-to-use-Extracting-fields-from-Microsoft-Internet/m-p/52766#M12845 DaveSavage 2012-12-04T16:51:59Z Re: how to use Extracting fields from Microsoft Internet Authentication Service (IAS) APP? https://community.splunk.com/t5/Splunk-Search/how-to-use-Extracting-fields-from-Microsoft-Internet/m-p/52767#M12846 <P>I should add...'on your forwarder' <span class="lia-unicode-emoji" title=":winking_face:">😉</span><BR /> Not sure if you know or realised this from the postings above...but make your changes to a version in the local folder so as to ensure a) its persistent even throughout updates / upgrades, and b) thats your space.</P> Tue, 04 Dec 2012 16:56:03 GMT https://community.splunk.com/t5/Splunk-Search/how-to-use-Extracting-fields-from-Microsoft-Internet/m-p/52767#M12846 DaveSavage 2012-12-04T16:56:03Z Re: how to use Extracting fields from Microsoft Internet Authentication Service (IAS) APP? https://community.splunk.com/t5/Splunk-Search/how-to-use-Extracting-fields-from-Microsoft-Internet/m-p/52768#M12847 <P>All right, I got it running. thank you a bunch!</P> Wed, 05 Dec 2012 00:08:27 GMT https://community.splunk.com/t5/Splunk-Search/how-to-use-Extracting-fields-from-Microsoft-Internet/m-p/52768#M12847 jimzzhou 2012-12-05T00:08:27Z