All Apps and Add-ons

field extraction mismatch when doing IIS log from EXCHANGE 2016

Splunk Employee
Splunk Employee

Sample log below:

Successful example:
2018-08-03 08:06:42 10.200.11.15 POST /owa/auth.owa &ClientId=72385290B62F418BBC3DCD378E57E295&CorrelationID=;&cafeReqId=6f706bbd-5b80-4ae3-905f-0f7c664a8bdd;&encoding=; 443 aaa@thecompany.com 192.168.0.33 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.0.3396.99+Safari/537.36 https://mail.thecompany.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.thecompany.c... 302 0 0 31 10.200.11.222

Failed example
2018-08-03 08:05:49 POST /owa/auth.owa &ClientId=9C05E320E354474888FB8B127316369F&CorrelationID=;&cafeReqId=3a08858c-7442-4740-9dfa-01606bf56ddd;&encoding=; 443 aaa@thecompany.com 192.168.0.33 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:61.0)+Gecko/20100101+Firefox/61.0 https://mail.thecompany.com/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.thecompany.com%2... 302 0 0 27 10.200.11.233

Advanced logging is enabled on exchange as the mail servers are behind a F5. X-Forwarded-For is configured to pass the clientip.
It looks some logs don't have the s_ip fields. Not sure why? Instead of tuning the field extraction right away, I believe there should have some easier way to do the adaption.

Any comments are welcome. Thanks.