Getting Data In

cs_uri_query into separate fileds when importing data

DanielFordWA
Contributor

I am doing a proof of concept with Splunk.

When I import my data as IIS-2 log files splunk picks up the cs_username, cs_uri_query, cs_uri_stem etc but does not break up the query string into separate fields.

When I import my data as a new data type splunk does not pick up the cs_username, cs_uri_query, cs_uri_stem etc but does create fields for each element in the query string.

Is there a way I can get the cs_username, cs_uri_query, cs_uri_stem etc and the query sting broken up into separate fields?

Thanks

Tags (1)
0 Karma
1 Solution

DanielFordWA
Contributor

I have found a solution. Simply add the below before the query

sourcetype="iis-2" | extract auto=true

It seems | extract auto=true will extract all the parameters from the cs_uri_query.

I am not sure if this is the best way to do it, could it be done in the indexing stage?

Thanks,

Dan

View solution in original post

0 Karma

DanielFordWA
Contributor

I have found a solution. Simply add the below before the query

sourcetype="iis-2" | extract auto=true

It seems | extract auto=true will extract all the parameters from the cs_uri_query.

I am not sure if this is the best way to do it, could it be done in the indexing stage?

Thanks,

Dan

0 Karma

Ayn
Legend

Splunk never MODIFIES any data it indexes unless you specifically tell it to, so I'm not sure what you mean by "breaking up" the events. Maybe you mean that while it's correctly extracting the fields, all you see is the raw data instead of seeing the fields in some kind of tabular format? In that case, it's just a matter of telling Splunk what fields you would like to see in your table. Something like this:

<yourbasesearch> | table cs_username cs_uri_query cs_uri_stem ...
0 Karma

DanielFordWA
Contributor

Hi Ayn,

Thanks again for the reply, I have sent you a msg as the comments box is too small for the samle log and field examples

0 Karma

Ayn
Legend

Well, you might be, because I'm not really sure what you mean by "separate fields". A field in Splunk is something it extracts from the raw data. The raw data itself is never "cut up". Might you mean that the cs_uri_query field itself is never created? It might help if you included log samples and what your configuration looks like.

DanielFordWA
Contributor

The below query works with the custom import, this is because the cs_uri_query has been cut up into separate fields, it does not work when I import the log file as iis-2 format as the cs_uri_query is not cut up into fields.

source="test.log" "rshact=docview" | stats count, values(docid) by dscaut docid

How would I edit the import features to cut up the cs_uri_query as it does with the custom import?

..or am I way off the mark 🙂

Thanks,

Dan

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...