Splunk Search

Searching for "-" in IIS logs?

DaClyde
Contributor

In Microsoft IIS logs, when a field is empty, a dash ( - ) is used instead of leaving the value blank.  Presumably this is because IIS logs are space delimited, so otherwise it would just have three consecutive spaces which might be ignored.  However, even though there is something in the field, I can't search for something like cs_username="-" and get any results.  Is this something Splunk is doing, where it is treating the dash as a NULL? 

I have a dashboard where I track HTTP errors by cs_username, but when the username is not present, I can't drill down on the dash, I can only drill down on actual username values.  Is there a way to make the dash an active, drillable value?  I tried this but it didn't work:

| fillnull value="-" cs_username

How can I search the cs_username field when the value is a dash?

Labels (2)
0 Karma

rafamss
Contributor

As @PickleRick replied, you can avoid this just by using the EVAL or applying filters to look for everything different from null or blank.

You can also, create a field extraction using Regex to avoid situations like this, for example:

| rex field=_raw cs_username="(?<cs_username>.+?)\"\s

 

 https://regex101.com/r/f6booK/1

0 Karma

PickleRick
SplunkTrust
SplunkTrust

To be precise, I didn't suggest using evals. This eval is already defined within the TA and it's the reason why the field is empty.

0 Karma

DaClyde
Contributor

I will try both approaches today and see what happens.  Thanks for the suggestions!

0 Karma

PickleRick
SplunkTrust
SplunkTrust

It is deliberately set this way by the IIS TA.

EVAL-user = if(cs_username == "-", null(), cs_username)

So it's not that Splunk doesn't find it, it's just that the field is set to empty value when there is nothing there.

Looking for

cs_username!=*

or

NOT cs_username=*

(these are not equivalent in general but in this case both can be used)

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...