Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

matching fixed width fields or fields with spaces from scripted input

mfrost8
Builder
‎01-17-2012 08:07 PM

I'm attempting to pull in data from iisweb.vbs /querv ia a scripted input. On Windows this will show a table of the status of each IIS site including a mapping from the crazy W3SVC directory name and the actual site. Example output that the scripted input is sticking into my index is something like

C:\WINDOWS\system32>C:\WINDOWS\System32\iisweb.vbs /query 
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Connecting to server ...Done.
Site Name (Metabase Path)                     Status  IP              Port  Host
==============================================================================
foo.bar.com (W3SVC/12345678)                  STARTED 1.2.3.4         80    foo.bar.com
fiz.bar.com (W3SVC/23456789)                  STOPPED 2.3.4.5         81    fiz.bar.com
test.bar.com (W3SVC/34567890)                 STARTED 3.4.5.6         90    N/A
Blaz Redirect to SSL (W3SVC/231245678)        STARTED 1.2.2.1         95    N/A
Pish-Posh (W3SVC/901237894)                   STARTED 3.7.2.1         98    N/A

and so on. I would like to be able to extract this as multi-valued set of fields. I'd like to do that as part of my props.conf/transforms.conf search time extractions, but just experimenting using multikv from the command line to see what I might get isn't giving me what I want. It appears that it's because of the items in "Site Name" that can have spaces in them and multikv does not like spaces.

Maybe this is more than multikv can handle (which is fine), but can I manage to do what I want with props.conf/transforms.conf? The regex for each line would seem fairly straightforward, but it's not clear to me how to define that via props.conf/transforms.conf for search time extraction.

Any help and/or pointers are greatly appreciated.

Thanks

0 Karma
Reply

lguinn2
Legend
‎01-18-2012 12:32 AM

If you were running this input script on a Linux system, you could use awk to "normalize" the format of the iisweb.vbs /querv output into something that multikv would like better, before you ever input the data into Splunk.

But you can do the same thing with Splunk, too. Assuming that your sourcetype is iis-querv, put the following in your props.conf (on the indexer, not the forwarder)

[iis-querv]
SEDCMD-sed1 = s/(.*)Site Name \(Metabase Path)(.*)/\1SiteName (MetabasePath)\2/g

This should remove the spaces in the heading names. I don't know that this will be enough for multikv to work, as there also appears to be some variations in the rows of the table. But try it.

This is another application of the concepts in the documentation under Anonymize data. HTH!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...