Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Filtering Fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Filtering Fields
host=server sourcetype=iis src_ip=* NOT src_ip="x.x.x.x"
This Search gives me some very helpful information - but regarding the URL, I get the url information and lots of compatibility information which I want to filter out. I am unable to accomplish this so far. Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are just looking for source ip at the end of your search pipe into a table.
host=server sourcetype=iis src_ip=* NOT src_ip="x.x.x.x" | table _time src_ip
This will give you just the time and source IP of the events.
also if you use the dedup command you will get just a list of unique source IP addresses as a list.
host=server sourcetype=iis src_ip=* NOT src_ip="x.x.x.x" |dedup src_ip | table src_ip | sort -src_ip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The IIS fields you are looking for are (should) already be available. From your original search which gives you all the data look on the left side of the screen.
The field list should contain fields like: c_ip, cs_bytes, cs_method, cs_Referer_, cs_uri_query cs_uri_stem, etc... If you don't see them, then select Show All Fields at the bottom of the list.
Just add the fields you want to your table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the field doesn't already exist you will need to create an extraction. Next to the event click the arrow on the left hand side and in event actions select extract fields. You can then give some examples that you want to extract. Then save the extraction as some field name. Now you can add your field name to the search above and get the extraction for the web get request.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the information. Being new to the search format, that was most helpful. The only other field I need to extract would be like the example that follows:
Request (GET:https://website.website.com:443/ntwkcntr/NCC%20MGMT/_w/Elvis%20Presley_jpg.jpg)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
