How can I split IIS logs from Amazon Kinesis strea...

jmajumdar · ‎10-24-2017

Hello -

Is there a way to split the line below : with '--". This is from the IIS logs of Amazom Kinesis. 200 is http status code. Sometimes it is a different status code, such as 500 or 404 etc. I noticed they always have "--" in front of it (unlike windows iis log or Apache) . So if I can split it at "--" , I can use the rex field to do the rest . Whenever I try the below , it does not work . Has anyone every had to deal iis log from aws kinesis stream?
eval temp=split(logmessage,"- -") | eval FieldB=mvindex(temp,1) .

This is the line:
"111.111.111.111 GET /somethingFinder.Services/6/healthcheck - 80 - 111.11.111.111 - - 200 0 0 2"

saurabhkharkar · ‎12-17-2018

If you just want to split at '- -' by adding a line break you can use this

| makeresults
| eval _raw="111.111.111.111 GET /somethingFinder.Services/6/healthcheck - 80 - 111.11.111.111 - - 200 0 0 2"
| rex mode=sed field=_raw "s/- -/\n/g"

or if you want the status code extracted - use this
| makeresults
| eval _raw="111.111.111.111 GET /somethingFinder.Services/6/healthcheck - 80 - 111.11.111.111 - - 200 0 0 2"
| rex field=_raw ".*?- -\s(?\d+)"
| table _raw change

saurabhkharkar · ‎12-17-2018

after ? add <_raw>
| table _raw

How can I split IIS logs from Amazon Kinesis stream on "- -" ?

.conf23 Registration is Now Open!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control