Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to map all the fields of IIS W3C to Splunk fields

subhadipc
Explorer
‎07-05-2012 12:00 AM

I wanted to see a detailed analysis of IIS logs in W3C (which is being fed to Splunk). I could not get all the available values. For some, may be I am not aware of their Splunk equivalent field.

For example I used another light weight tool call Log Parser 2.2, I wrote the query to get the results:

LogParser.exe -i:W3C "SELECT date, time, cs-uri-stem, sc-bytes, time-taken, cs(Referer) FROM 'C:\Documents and Settings\Administrator\Desktop\Travel Planners\Tasks\Orchestrator Performance RCA\ex120629.log' where cs-uri-stem like '%emreservationlist.asp%'"

I wrote the following query in Splunk thinking it to be equivalent:

host="trlpws003" AND cs_uri_stem ="*emreservationlist.asp" | fields cs_uri_stem, date, time, time_taken, cs_bytes, cs_referer_

The results, though similar, but the Splunk query did not retrieve any value for cs_referer_. Requesting your for the same, and also if possible tell the equivalent Splunk fields for the W3C fields.

Thanks and Regards

Tags (5)
0 Karma
Reply

lguinn2
Legend
‎07-07-2012 05:48 PM

In Splunk, you can simply run the search

host="trlpws003" AND cs_uri_stem ="*emreservationlist.asp"

and you can see the list of fields that splunk has identified and their names by using the blue/grey box on the left of the search results. Click the "edit" button to see the complete list of fields, as Splunk will only show the selected fields and interesting fields by default.

When you use the fields command as you did above, you are suppressing the default field extractions. While you may want to do this later, I think you should start by looking at what Splunk does by default.

The fields sidebar may help you - but it might not. Typically, Splunk identifies the fields in the events based on the sourcetype. If the sourcetype is iis, then Splunk will extract the IIS fields (and hopefully name them appropriately). However, if you have used a different sourcetype name, Splunk will not know to use its built-in IIS field definitions.

What is the name of the sourcetype for the results of this search?

Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
Top