All Apps and Add-ons

field extraction mismatch when doing IIS log from EXCHANGE 2016

Splunk Employee
Splunk Employee

Sample log below:

Successful example:
2018-08-03 08:06:42 POST /owa/auth.owa &ClientId=72385290B62F418BBC3DCD378E57E295&CorrelationID=;&cafeReqId=6f706bbd-5b80-4ae3-905f-0f7c664a8bdd;&encoding=; 443 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.0.3396.99+Safari/537.36 302 0 0 31

Failed example
2018-08-03 08:05:49 POST /owa/auth.owa &ClientId=9C05E320E354474888FB8B127316369F&CorrelationID=;&cafeReqId=3a08858c-7442-4740-9dfa-01606bf56ddd;&encoding=; 443 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:61.0)+Gecko/20100101+Firefox/61.0 302 0 0 27

Advanced logging is enabled on exchange as the mail servers are behind a F5. X-Forwarded-For is configured to pass the clientip.
It looks some logs don't have the s_ip fields. Not sure why? Instead of tuning the field extraction right away, I believe there should have some easier way to do the adaption.

Any comments are welcome. Thanks.