topic Re: Assistance with Extraction in Splunk Search

How to extract fields out of the winevent IIS logs?

XOJ — Wed, 11 May 2022 22:33:56 GMT

I'm trying to extract fields out of the winevent IIS logs. My regex works in regex101 perfectly. Also I can do something very similar with the rex command, so I feel like the regex should be ok. Here is the regex:

Message=.*s-sitename\s(?<s_sitename>\w+)\ss-computername\s(?<s_computername>\w+)\ss-ip\s(?<s_ip>\d+\.\d+\.\d+\.\d+|\-)\scs-method\s(?<cs_method>\w+)\scs-uri-stem\s(?<cs_uri_stem>.*)\scs-uri-query\s(?<cs_uri_query>.*)\ss-port\s(?<s_port>.*)\scs-username\s(?<cs_username>.*)\sc-ip\s(?<c_ip>.*)\scs-version\s(?<cs_version>.*)\scs\(User-Agent\)\s(?<cs_User_Agent>.*)\scs\(Cookie\)\s(?<cs_Cookie>.*)\scs\(Referer\)\s(?<cs_Referer>.*)\scs-host\s(?<cs_host>.*)\ssc-status\s(?<sc_status>.*)\ssc-substatus\s(?<sc_substatus>.*)\ssc-win32-status\s(?<sc_win32_status>.*)\ssc-bytes\s(?<sc_bytes>.*)\scs-bytes\s(?<cs_bytes>.*)\stime\-taken\s(?<time_taken>\d+)\s(?<additional_info_1>.*)\s(?:x-forwarded-for|X-Forwarded-For) (?<x_forwarded_for>\d+\.\d+\.\d+\.\d+|\-)\s(?<additional_info_2>.*)

An example that I'm trying to match to with data changed obviously:

Message=date 2021-07-26 time 11:40:00 s-sitename XXX1 s-computername Name1 s-ip 0.0.0.0 cs-method GET cs-uri-stem /xxx/xx.dll cs-uri-query - s-port 000 cs-username - c-ip 000.0.0. cs-version HTTP/1.1 cs(User-Agent) AGENT cs(Cookie) - cs(Referer) - cs-host host sc-status 300 sc-substatus 0 sc-win32-status 0 sc-bytes 000 cs-bytes 000 time-taken 000 Connection Keep-Alive Warning - HTTP_CONNECTION Keep-Alive WORD - X-Forwarded-For 00.00.000.0 X-SSL-Client-Cert - HTTP_USER_AGENT AGENT User-Agent AGENT Authorization - Content-Type -

Unfortunately, when I put the regex in the "New Field Extraction" not a single field shows up.

Appreciate any help in either the regex, or maybe I'm just doing it wrong somehow.

Re: Assistance with Extraction

kartikaykv1 — Thu, 26 Aug 2021 20:35:03 GMT

Try adding ? Like

Message=.*s-sitename\s(?<s_sitename>\w+?)\ss-computername\s(?<s_computername>\w+?)\ss-ip\s….

It should work.

Re: Assistance with Extraction

kartikaykv1 — Thu, 26 Aug 2021 20:37:46 GMT

| rex “Message\=.*s-sitename\s(?<s_sitename>\w+?)\ss-computername\s(?<s_computername>\w+?)\ss-ip\s….”

Re: Assistance with Extraction

XOJ — Thu, 26 Aug 2021 20:57:18 GMT

After you posted that, I do see where Splunk PS put the end ? on some of their capture groups, and not on others. Any idea what it does?

In any case, I changed it to the below and still don't see anything being extracted.

Message=.*s-sitename\s(?<s_sitename>\w+?)\ss-computername\s(?<s_computername>\w+?)\ss-ip\s(?<s_ip>\d+\.\d+\.\d+\.\d+|\-?)\scs-method\s(?<cs_method>\w+?)\scs-uri-stem\s(?<cs_uri_stem>.*?)\scs-uri-query\s(?<cs_uri_query>.*?)\ss-port\s(?<s_port>.*?)\scs-username\s(?<cs_username>.*?)\sc-ip\s(?<c_ip>.*?)\scs-version\s(?<cs_version>.*?)\scs\(User-Agent\)\s(?<cs_User_Agent>.*?)\scs\(Cookie\)\s(?<cs_Cookie>.*?)\scs\(Referer\)\s(?<cs_Referer>.*?)\scs-host\s(?<cs_host>.*?)\ssc-status\s(?<sc_status>.*?)\ssc-substatus\s(?<sc_substatus>.*?)\ssc-win32-status\s(?<sc_win32_status>.*?)\ssc-bytes\s(?<sc_bytes>.*?)\scs-bytes\s(?<cs_bytes>.*?)\stime\-taken\s(?<time_taken>\d+?)\s(?<additional_info_1>.*?)\s(?:x-forwarded-for|X-Forwarded-For)\s(?<x_forwarded_for>\d+\.\d+\.\d+\.\d+|\-?)\s(?<additional_info_2>.*?)

Re: Assistance with Extraction

kartikaykv1 — Thu, 26 Aug 2021 21:08:18 GMT

Try this in the end.

forwarded_for>\d+\.\d+\.\d+\.\d+?)\s(?<additional_info_2>.*)

Re: Assistance with Extraction

XOJ — Thu, 26 Aug 2021 21:18:55 GMT

Unfortunately, still none of the fields are showing up. I'm headed out for today, but anything that is thought of I'll try tomorrow. I wish there was somewhere I could find errors on what it is unable to parse. Thanks for the help.

Re: Assistance with Extraction

XOJ — Fri, 27 Aug 2021 16:52:07 GMT

Ok. I've updated it just to this, and even this single field isn't showing up... any other ideas?

Message\=.*s-sitename\s(?<s_sitename>\w+?)\ss-computername\s

Re: Assistance with Extraction

kartikaykv1 — Fri, 27 Aug 2021 18:08:35 GMT

Probably let's connect over zoom or g-meet then... Kartikaykv@gmail.com

Re: Assistance with Extraction

XOJ — Wed, 11 May 2022 19:14:50 GMT

I got the below to work:

s-sitename\s(?<s_sitename>\w+?)\ss-computername\s(?<s_computername>.*)\ss-ip\s(?<s_ip>.*?)\scs-method\s(?<cs_method>\w+?)\scs-uri-stem\s(?<cs_uri_stem>.*?)\scs-uri-query\s(?<cs_uri_query>.*?)\ss-port\s(?<s_port>.*?)\scs-username\s(?<cs_username>.*?)\sc-ip\s(?<c_ip>.*?)\scs-version\s(?<cs_version>.*?)\scs\(User-Agent\)\s(?<cs_User_Agent>.*?)\scs\(Cookie\)\s(?<cs_Cookie>.*?)\scs\(Referer\)\s(?<cs_Referer>.*?)\scs-host\s(?<cs_host>.*?)\ssc-status\s(?<sc_status>.*?)\ssc-substatus\s(?<sc_substatus>.*?)\ssc-win32-status\s(?<sc_win32_status>.*?)\ssc-bytes\s(?<sc_bytes>.*?)\scs-bytes\s(?<cs_bytes>.*?)\stime\-taken\s(?<time_taken>\d+?)\s(?<additional_info_1>.*)\s?(?:x-forwarded-for|X-Forwarded-For)\s(?<x_forwarded_for>(?:\d+\.\d+\.\d+\.\d+|\-))\s?(?<additional_info_2>.*)?