Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

IIS Status Field

rcovert
Path Finder
‎04-23-2012 09:25 AM

Hi,

I am having trouble getting Splunk to read the status field from my logs. I have put the following in my props.conf and restarted Splunk:

[iis]
TZ = GMT
CHECK_FOR_HEADER = true
FIELDALIAS-status = "sc-status" AS status

If I search for eventtype=web-traffic, I see results. But, when I search eventtype=web-traffic status=200, I get 0 results.

My indexer in on Linux, forwarder on Windows. Can anyone help me?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rcovert
Path Finder
‎04-23-2012 12:30 PM

Well, I figured it out on my own. In case anyone else has the same problem, this is what I did. First, I put this in my props.conf:

[iis]
TZ = GMT
CHECK_FOR_HEADER = true
REPORT-AutoHeader = AutoHeader-1
FIELDALIAS-status = c_ip AS clientip cs_Referer_ AS referer_domain cs_User_Agent_ AS useragent cs_host AS host cs_method AS method cs_uri_query AS q cs_uri_stem AS uri sc_status AS status

and this in transforms.conf:
[AutoHeader-1]
DELIMS = " "
FIELDS = "date", "time", "s-ip", "cs-method", "cs-uri-stem", "cs-uri-query", "s-port", "cs-username", "c-ip", "cs(User-Agent)", "sc-status", "sc-substatus", "sc-win32-status", "time-taken"

I'm not sure why the field aliases use a "_" instead of "-", but it works!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rcovert
Path Finder
‎04-23-2012 12:30 PM

Well, I figured it out on my own. In case anyone else has the same problem, this is what I did. First, I put this in my props.conf:

[iis]
TZ = GMT
CHECK_FOR_HEADER = true
REPORT-AutoHeader = AutoHeader-1
FIELDALIAS-status = c_ip AS clientip cs_Referer_ AS referer_domain cs_User_Agent_ AS useragent cs_host AS host cs_method AS method cs_uri_query AS q cs_uri_stem AS uri sc_status AS status

and this in transforms.conf:
[AutoHeader-1]
DELIMS = " "
FIELDS = "date", "time", "s-ip", "cs-method", "cs-uri-stem", "cs-uri-query", "s-port", "cs-username", "c-ip", "cs(User-Agent)", "sc-status", "sc-substatus", "sc-win32-status", "time-taken"

I'm not sure why the field aliases use a "_" instead of "-", but it works!

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...