I wanted to see a detailed analysis of IIS logs in W3C (which is being fed to Splunk). I could not get all the available values. For some, may be I am not aware of their Splunk equivalent field.
For example I used another light weight tool call Log Parser 2.2, I wrote the query to get the results:
LogParser.exe -i:W3C "SELECT date, time, cs-uri-stem, sc-bytes, time-taken, cs(Referer) FROM 'C:\Documents and Settings\Administrator\Desktop\Travel Planners\Tasks\Orchestrator Performance RCA\ex120629.log' where cs-uri-stem like '%emreservationlist.asp%'"
I wrote the following query in Splunk thinking it to be equivalent:
host="trlpws003" AND cs_uri_stem ="*emreservationlist.asp" | fields cs_uri_stem, date, time, time_taken, cs_bytes, cs_referer_
The results, though similar, but the Splunk query did not retrieve any value for cs_referer_. Requesting your for the same, and also if possible tell the equivalent Splunk fields for the W3C fields.
Thanks and Regards
In Splunk, you can simply run the search
host="trlpws003" AND cs_uri_stem ="*emreservationlist.asp"
and you can see the list of fields that splunk has identified and their names by using the blue/grey box on the left of the search results. Click the "edit" button to see the complete list of fields, as Splunk will only show the selected fields and interesting fields by default.
When you use the fields
command as you did above, you are suppressing the default field extractions. While you may want to do this later, I think you should start by looking at what Splunk does by default.
The fields sidebar may help you - but it might not. Typically, Splunk identifies the fields in the events based on the sourcetype. If the sourcetype is iis, then Splunk will extract the IIS fields (and hopefully name them appropriately). However, if you have used a different sourcetype name, Splunk will not know to use its built-in IIS field definitions.
What is the name of the sourcetype for the results of this search?