Re: How do I extract farm name from IIS logs to a ...

smudge797 · ‎09-14-2018

I'm Trying to run a table on IIS logs. The farm is https://sp001, examples below)... However, within the farm we have individual sites. I would like to be able to extract the site name, like "Access%20Requests KYCOpsSupportDocuments" etc... , to table:

https://sp004.mydomain.net/sites1/spvfvfst/Access%20Requests/pendingreq.aspx...
https://sp004.mydomain.net/sites1/spvfvfst/KYCOpsSupportDocuments/...
https://sp004.mydomain.net/sites1/spvfvfst/KYCOpsSupportDocuments/...
https://sp004.mydomain.net/sites1/spvfvfst/Blah/LOB%20Es...
https://sp004.mydomain.net/sites1/spvfvfst/_vti_bin/LOB%20Escalation..
https://sp004.mydomain.net/sites1/spvfvfst/12345dddd/LOB%20Escalation3bivey%25252C%252520Sara&Conten......
https://sp004.mydomain.net/sites1/spvfvfst/Lists/LOB%20Escalation8B...

Thanks!

imthesplunker · ‎09-15-2018

Hi @smudge797, Try this

your base search | rex field=_raw max_match=0 "spvfvfst\/(?<site_name>\S+)\/"

harishalipaka · ‎09-14-2018

hi @smudge797

try this query

 | rex field=<fieldname> "/spvfvfst/(?<MyField>[^,\s]+)/"

Thanks
Harish

493669 · ‎09-14-2018

@smudge797, Try this:

...|rex field=<fieldname> "https:\/\/([^\/]+\/){3}(?<sites>[^\/]+)"

try this run anywhere search-

| makeresults |eval a="https://sp004.mydomain.net/sites1/spvfvfst/Access%20Requests/pendingreq.aspx..."|rex field=a "https:\/\/([^\/]+\/){3}(?<sites>[^\/]+)"

How do I extract farm name from IIS logs to a table?

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

How do I extract farm name from IIS logs to a table?

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability