Splunk Search

How to extract fields out of the winevent IIS logs?

XOJ
Path Finder

I'm trying to extract fields out of the winevent IIS logs. My regex works in regex101 perfectly. Also I can do something very similar with the rex command, so I feel like the regex should be ok. Here is the regex:

Message=.*s-sitename\s(?<s_sitename>\w+)\ss-computername\s(?<s_computername>\w+)\ss-ip\s(?<s_ip>\d+\.\d+\.\d+\.\d+|\-)\scs-method\s(?<cs_method>\w+)\scs-uri-stem\s(?<cs_uri_stem>.*)\scs-uri-query\s(?<cs_uri_query>.*)\ss-port\s(?<s_port>.*)\scs-username\s(?<cs_username>.*)\sc-ip\s(?<c_ip>.*)\scs-version\s(?<cs_version>.*)\scs\(User-Agent\)\s(?<cs_User_Agent>.*)\scs\(Cookie\)\s(?<cs_Cookie>.*)\scs\(Referer\)\s(?<cs_Referer>.*)\scs-host\s(?<cs_host>.*)\ssc-status\s(?<sc_status>.*)\ssc-substatus\s(?<sc_substatus>.*)\ssc-win32-status\s(?<sc_win32_status>.*)\ssc-bytes\s(?<sc_bytes>.*)\scs-bytes\s(?<cs_bytes>.*)\stime\-taken\s(?<time_taken>\d+)\s(?<additional_info_1>.*)\s(?:x-forwarded-for|X-Forwarded-For) (?<x_forwarded_for>\d+\.\d+\.\d+\.\d+|\-)\s(?<additional_info_2>.*)

An example that I'm trying to match to with data changed obviously:

Message=date 2021-07-26 time 11:40:00 s-sitename XXX1 s-computername Name1 s-ip 0.0.0.0 cs-method GET cs-uri-stem /xxx/xx.dll cs-uri-query - s-port 000 cs-username - c-ip 000.0.0. cs-version HTTP/1.1 cs(User-Agent) AGENT cs(Cookie) - cs(Referer) - cs-host host sc-status 300 sc-substatus 0 sc-win32-status 0 sc-bytes 000 cs-bytes 000 time-taken 000 Connection Keep-Alive Warning - HTTP_CONNECTION Keep-Alive WORD - X-Forwarded-For 00.00.000.0 X-SSL-Client-Cert - HTTP_USER_AGENT AGENT User-Agent AGENT Authorization - Content-Type -

Unfortunately, when I put the regex in the "New Field Extraction" not a single field shows up.

Appreciate any help in either the regex, or maybe I'm just doing it wrong somehow.

Labels (1)
Tags (1)
0 Karma

XOJ
Path Finder

Ok. I've updated it just to this, and even this single field isn't showing up... any other ideas?

Message\=.*s-sitename\s(?<s_sitename>\w+?)\ss-computername\s

0 Karma

kartikaykv1
Explorer

Probably let's connect over zoom or g-meet then... Kartikaykv@gmail.com

0 Karma

kartikaykv1
Explorer

Try this in the end.

forwarded_for>\d+\.\d+\.\d+\.\d+?)\s(?<additional_info_2>.*)

XOJ
Path Finder

Unfortunately, still none of the fields are showing up. I'm headed out for today, but anything that is thought of I'll try tomorrow. I wish there was somewhere I could find errors on what it is unable to parse. Thanks for the help.

0 Karma

kartikaykv1
Explorer

| rex “Message\=.*s-sitename\s(?<s_sitename>\w+?)\ss-computername\s(?<s_computername>\w+?)\ss-ip\s….”

0 Karma

kartikaykv1
Explorer

Try adding ? Like

Message=.*s-sitename\s(?<s_sitename>\w+?)\ss-computername\s(?<s_computername>\w+?)\ss-ip\s….

 

It should work.

 

XOJ
Path Finder

After you posted that, I do see where Splunk PS put the end ? on some of their capture groups, and not on others. Any idea what it does?

In any case, I changed it to the below and still don't see anything being extracted.

 

Message=.*s-sitename\s(?<s_sitename>\w+?)\ss-computername\s(?<s_computername>\w+?)\ss-ip\s(?<s_ip>\d+\.\d+\.\d+\.\d+|\-?)\scs-method\s(?<cs_method>\w+?)\scs-uri-stem\s(?<cs_uri_stem>.*?)\scs-uri-query\s(?<cs_uri_query>.*?)\ss-port\s(?<s_port>.*?)\scs-username\s(?<cs_username>.*?)\sc-ip\s(?<c_ip>.*?)\scs-version\s(?<cs_version>.*?)\scs\(User-Agent\)\s(?<cs_User_Agent>.*?)\scs\(Cookie\)\s(?<cs_Cookie>.*?)\scs\(Referer\)\s(?<cs_Referer>.*?)\scs-host\s(?<cs_host>.*?)\ssc-status\s(?<sc_status>.*?)\ssc-substatus\s(?<sc_substatus>.*?)\ssc-win32-status\s(?<sc_win32_status>.*?)\ssc-bytes\s(?<sc_bytes>.*?)\scs-bytes\s(?<cs_bytes>.*?)\stime\-taken\s(?<time_taken>\d+?)\s(?<additional_info_1>.*?)\s(?:x-forwarded-for|X-Forwarded-For)\s(?<x_forwarded_for>\d+\.\d+\.\d+\.\d+|\-?)\s(?<additional_info_2>.*?)

0 Karma

XOJ
Path Finder

I got the below to work:

 

s-sitename\s(?<s_sitename>\w+?)\ss-computername\s(?<s_computername>.*)\ss-ip\s(?<s_ip>.*?)\scs-method\s(?<cs_method>\w+?)\scs-uri-stem\s(?<cs_uri_stem>.*?)\scs-uri-query\s(?<cs_uri_query>.*?)\ss-port\s(?<s_port>.*?)\scs-username\s(?<cs_username>.*?)\sc-ip\s(?<c_ip>.*?)\scs-version\s(?<cs_version>.*?)\scs\(User-Agent\)\s(?<cs_User_Agent>.*?)\scs\(Cookie\)\s(?<cs_Cookie>.*?)\scs\(Referer\)\s(?<cs_Referer>.*?)\scs-host\s(?<cs_host>.*?)\ssc-status\s(?<sc_status>.*?)\ssc-substatus\s(?<sc_substatus>.*?)\ssc-win32-status\s(?<sc_win32_status>.*?)\ssc-bytes\s(?<sc_bytes>.*?)\scs-bytes\s(?<cs_bytes>.*?)\stime\-taken\s(?<time_taken>\d+?)\s(?<additional_info_1>.*)\s?(?:x-forwarded-for|X-Forwarded-For)\s(?<x_forwarded_for>(?:\d+\.\d+\.\d+\.\d+|\-))\s?(?<additional_info_2>.*)?

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...