Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to map all the fields of IIS W3C to Splunk fields

subhadipc
Explorer
‎07-05-2012 12:00 AM

I wanted to see a detailed analysis of IIS logs in W3C (which is being fed to Splunk). I could not get all the available values. For some, may be I am not aware of their Splunk equivalent field.

For example I used another light weight tool call Log Parser 2.2, I wrote the query to get the results:

LogParser.exe -i:W3C "SELECT date, time, cs-uri-stem, sc-bytes, time-taken, cs(Referer) FROM 'C:\Documents and Settings\Administrator\Desktop\Travel Planners\Tasks\Orchestrator Performance RCA\ex120629.log' where cs-uri-stem like '%emreservationlist.asp%'"

I wrote the following query in Splunk thinking it to be equivalent:

host="trlpws003" AND cs_uri_stem ="*emreservationlist.asp" | fields cs_uri_stem, date, time, time_taken, cs_bytes, cs_referer_

The results, though similar, but the Splunk query did not retrieve any value for cs_referer_. Requesting your for the same, and also if possible tell the equivalent Splunk fields for the W3C fields.

Thanks and Regards

Tags (5)
0 Karma
Reply

lguinn2
Legend
‎07-07-2012 05:48 PM

In Splunk, you can simply run the search

host="trlpws003" AND cs_uri_stem ="*emreservationlist.asp"

and you can see the list of fields that splunk has identified and their names by using the blue/grey box on the left of the search results. Click the "edit" button to see the complete list of fields, as Splunk will only show the selected fields and interesting fields by default.

When you use the fields command as you did above, you are suppressing the default field extractions. While you may want to do this later, I think you should start by looking at what Splunk does by default.

The fields sidebar may help you - but it might not. Typically, Splunk identifies the fields in the events based on the sourcetype. If the sourcetype is iis, then Splunk will extract the IIS fields (and hopefully name them appropriately). However, if you have used a different sourcetype name, Splunk will not know to use its built-in IIS field definitions.

What is the name of the sourcetype for the results of this search?

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...