Splunk Search

How to extract fields out of the winevent IIS logs?

XOJ
Path Finder

I'm trying to extract fields out of the winevent IIS logs. My regex works in regex101 perfectly. Also I can do something very similar with the rex command, so I feel like the regex should be ok. Here is the regex:

Message=.*s-sitename\s(?<s_sitename>\w+)\ss-computername\s(?<s_computername>\w+)\ss-ip\s(?<s_ip>\d+\.\d+\.\d+\.\d+|\-)\scs-method\s(?<cs_method>\w+)\scs-uri-stem\s(?<cs_uri_stem>.*)\scs-uri-query\s(?<cs_uri_query>.*)\ss-port\s(?<s_port>.*)\scs-username\s(?<cs_username>.*)\sc-ip\s(?<c_ip>.*)\scs-version\s(?<cs_version>.*)\scs\(User-Agent\)\s(?<cs_User_Agent>.*)\scs\(Cookie\)\s(?<cs_Cookie>.*)\scs\(Referer\)\s(?<cs_Referer>.*)\scs-host\s(?<cs_host>.*)\ssc-status\s(?<sc_status>.*)\ssc-substatus\s(?<sc_substatus>.*)\ssc-win32-status\s(?<sc_win32_status>.*)\ssc-bytes\s(?<sc_bytes>.*)\scs-bytes\s(?<cs_bytes>.*)\stime\-taken\s(?<time_taken>\d+)\s(?<additional_info_1>.*)\s(?:x-forwarded-for|X-Forwarded-For) (?<x_forwarded_for>\d+\.\d+\.\d+\.\d+|\-)\s(?<additional_info_2>.*)

An example that I'm trying to match to with data changed obviously:

Message=date 2021-07-26 time 11:40:00 s-sitename XXX1 s-computername Name1 s-ip 0.0.0.0 cs-method GET cs-uri-stem /xxx/xx.dll cs-uri-query - s-port 000 cs-username - c-ip 000.0.0. cs-version HTTP/1.1 cs(User-Agent) AGENT cs(Cookie) - cs(Referer) - cs-host host sc-status 300 sc-substatus 0 sc-win32-status 0 sc-bytes 000 cs-bytes 000 time-taken 000 Connection Keep-Alive Warning - HTTP_CONNECTION Keep-Alive WORD - X-Forwarded-For 00.00.000.0 X-SSL-Client-Cert - HTTP_USER_AGENT AGENT User-Agent AGENT Authorization - Content-Type -

Unfortunately, when I put the regex in the "New Field Extraction" not a single field shows up.

Appreciate any help in either the regex, or maybe I'm just doing it wrong somehow.

Labels (1)
Tags (1)
0 Karma

XOJ
Path Finder

Ok. I've updated it just to this, and even this single field isn't showing up... any other ideas?

Message\=.*s-sitename\s(?<s_sitename>\w+?)\ss-computername\s

0 Karma

kartikaykv1
Explorer

Probably let's connect over zoom or g-meet then... Kartikaykv@gmail.com

0 Karma

kartikaykv1
Explorer

Try this in the end.

forwarded_for>\d+\.\d+\.\d+\.\d+?)\s(?<additional_info_2>.*)

XOJ
Path Finder

Unfortunately, still none of the fields are showing up. I'm headed out for today, but anything that is thought of I'll try tomorrow. I wish there was somewhere I could find errors on what it is unable to parse. Thanks for the help.

0 Karma

kartikaykv1
Explorer

| rex “Message\=.*s-sitename\s(?<s_sitename>\w+?)\ss-computername\s(?<s_computername>\w+?)\ss-ip\s….”

0 Karma

kartikaykv1
Explorer

Try adding ? Like

Message=.*s-sitename\s(?<s_sitename>\w+?)\ss-computername\s(?<s_computername>\w+?)\ss-ip\s….

 

It should work.

 

XOJ
Path Finder

After you posted that, I do see where Splunk PS put the end ? on some of their capture groups, and not on others. Any idea what it does?

In any case, I changed it to the below and still don't see anything being extracted.

 

Message=.*s-sitename\s(?<s_sitename>\w+?)\ss-computername\s(?<s_computername>\w+?)\ss-ip\s(?<s_ip>\d+\.\d+\.\d+\.\d+|\-?)\scs-method\s(?<cs_method>\w+?)\scs-uri-stem\s(?<cs_uri_stem>.*?)\scs-uri-query\s(?<cs_uri_query>.*?)\ss-port\s(?<s_port>.*?)\scs-username\s(?<cs_username>.*?)\sc-ip\s(?<c_ip>.*?)\scs-version\s(?<cs_version>.*?)\scs\(User-Agent\)\s(?<cs_User_Agent>.*?)\scs\(Cookie\)\s(?<cs_Cookie>.*?)\scs\(Referer\)\s(?<cs_Referer>.*?)\scs-host\s(?<cs_host>.*?)\ssc-status\s(?<sc_status>.*?)\ssc-substatus\s(?<sc_substatus>.*?)\ssc-win32-status\s(?<sc_win32_status>.*?)\ssc-bytes\s(?<sc_bytes>.*?)\scs-bytes\s(?<cs_bytes>.*?)\stime\-taken\s(?<time_taken>\d+?)\s(?<additional_info_1>.*?)\s(?:x-forwarded-for|X-Forwarded-For)\s(?<x_forwarded_for>\d+\.\d+\.\d+\.\d+|\-?)\s(?<additional_info_2>.*?)

0 Karma

XOJ
Path Finder

I got the below to work:

 

s-sitename\s(?<s_sitename>\w+?)\ss-computername\s(?<s_computername>.*)\ss-ip\s(?<s_ip>.*?)\scs-method\s(?<cs_method>\w+?)\scs-uri-stem\s(?<cs_uri_stem>.*?)\scs-uri-query\s(?<cs_uri_query>.*?)\ss-port\s(?<s_port>.*?)\scs-username\s(?<cs_username>.*?)\sc-ip\s(?<c_ip>.*?)\scs-version\s(?<cs_version>.*?)\scs\(User-Agent\)\s(?<cs_User_Agent>.*?)\scs\(Cookie\)\s(?<cs_Cookie>.*?)\scs\(Referer\)\s(?<cs_Referer>.*?)\scs-host\s(?<cs_host>.*?)\ssc-status\s(?<sc_status>.*?)\ssc-substatus\s(?<sc_substatus>.*?)\ssc-win32-status\s(?<sc_win32_status>.*?)\ssc-bytes\s(?<sc_bytes>.*?)\scs-bytes\s(?<cs_bytes>.*?)\stime\-taken\s(?<time_taken>\d+?)\s(?<additional_info_1>.*)\s?(?:x-forwarded-for|X-Forwarded-For)\s(?<x_forwarded_for>(?:\d+\.\d+\.\d+\.\d+|\-))\s?(?<additional_info_2>.*)?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...