- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Renames in Splunk Add-on for Microsoft IIS not wor...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Renames in Splunk Add-on for Microsoft IIS not working
We are using the Splunk Add-on for Microsoft IIS, and I am running into an odd issue where the renames are not working. We are running the add on with splunk enterprise 7.2. The original fields are coming in fine, but the renames to the CIM compliant names are not taking place. Particularly having this issue with cs_Referer and cs_User_Agent. Here is my transforms and props entries:
TRANSFORMS.CONF:
[auto_kv_for_iis_default_IFS1]
DELIMS = " "
FIELDS = date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs_User_Agent cs_Referer sc-status sc-substatus sc-win32-status time-taken
[iis_action_lookup]
filename = iis_action_lookup.csv
PROPS.CONF:
[IFS:http_server]
MAX_TIMESTAMP_LOOKAHEAD = 23
SHOULD_LINEMERGE = false
REPORT-auto_kv_for_iis_default_IFS1 = auto_kv_for_iis_default_IFS1
LOOKUP-iis_action_lookup = iis_action_lookup status OUTPUT action
FIELDALIAS-cs_username = cs_username as user
FIELDALIAS-cs_User_Agent = cs_User_Agent as http_user_agent, cs_User_Agent_ as http_user_agent, 'cs(User-Agent)' as http_user_agent
FIELDALIAS-cs_uri_stem = cs_uri_stem as uri_path
FIELDALIAS-cs_uri_query = cs_uri_query as uri_query
FIELDALIAS-TimeTakenMS = TimeTakenMS as duration, TimeTakenMS as response_time, time_taken as duration, time_taken as response_time
FIELDALIAS-sc_status = sc_status as status
FIELDALIAS-s_sitename = s_sitename as site
FIELDALIAS-s_ip = s_ip as dest_ip, s_ip as dest, s_ip as dvc
FIELDALIAS-s_port = s_port as http_port, s_port as dest_port, s_port as port
FIELDALIAS-s_computername = s_computername as host
FIELDALIAS-RequestsPerSecond = RequestsPerSecond as hits_per_second
FIELDALIAS-cs_Referer = cs_Referer as http_referrer, cs_Referer_ as http_referrer, cs_Referer as http_referer, cs_Referer_ as http_referer, 'cs(Referer)' as http_referer
FIELDALIAS-cs_method = cs_method as http_method
FIELDALIAS-cs_Cookie = cs_Cookie as cookie, cs_Cookie_ as cookie
FIELDALIAS-c_ip = c_ip as src_ip, c_ip as src
FIELDALIAS-sc_bytes = sc_bytes as bytes_out
FIELDALIAS-cs_bytes = cs_bytes as bytes_in
EVAL-http_user_agent_length = len(http_user_agent)
EVAL-bytes = bytes_in + bytes_out
EVAL-web_server = host . ":" . site
EVAL-vendor = "Microsoft"
EVAL-product = "Internet Information Services (IIS)"
EVAL-vendor_product = "Microsoft Internet Information Services (IIS)"
EVAL-app = "Microsoft Internet Information Services (IIS)"
EVAL-url = if((isnotnull(case(match(cs_version, "^HTTPS\/\S*"), "https", match(cs_version, "^HTTP\/\S*"), "http")) AND isnotnull(s_ip) AND isnotnull(s_port) AND isnotnull(cs_uri_stem) ), (case(match(cs_version, "^HTTPS\/\S*"), "https", match(cs_version, "^HTTP\/\S*"), "http")) . "://" . s_ip . ":" . s_port . cs_uri_stem . if(isnull(cs_uri_query) OR (cs_uri_query =="-"), "", "?" + cs_uri_query), "")
EVAL-url_length = len(if((isnotnull(case(match(cs_version, "^HTTPS\/\S*"), "https", match(cs_version, "^HTTP\/\S*"), "http")) AND isnotnull(s_ip) AND isnotnull(s_port) AND isnotnull(cs_uri_stem) ), (case(match(cs_version, "^HTTPS\/\S*"), "https", match(cs_version, "^HTTP\/\S*"), "http")) . "://" . s_ip . ":" . s_port . cs_uri_stem . if(isnull(cs_uri_query) OR (cs_uri_query =="-"), "", "?" + cs_uri_query), ""))
EVAL-role = "web_server"
pulldown_type = true
description = Log files produced by Microsoft IIS W3C log files (search-time field extraction)
category = Web
DATETIME_CONFIG =
NO_BINARY_CHECK = true
disabled = false
Thank you for your help.
Andrew
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
