Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- matching fixed width fields or fields with spaces ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
matching fixed width fields or fields with spaces from scripted input
mfrost8
Builder
01-17-2012
08:07 PM
I'm attempting to pull in data from iisweb.vbs /querv ia a scripted input. On Windows this will show a table of the status of each IIS site including a mapping from the crazy W3SVC directory name and the actual site. Example output that the scripted input is sticking into my index is something like
C:\WINDOWS\system32>C:\WINDOWS\System32\iisweb.vbs /query
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Connecting to server ...Done.
Site Name (Metabase Path) Status IP Port Host
==============================================================================
foo.bar.com (W3SVC/12345678) STARTED 1.2.3.4 80 foo.bar.com
fiz.bar.com (W3SVC/23456789) STOPPED 2.3.4.5 81 fiz.bar.com
test.bar.com (W3SVC/34567890) STARTED 3.4.5.6 90 N/A
Blaz Redirect to SSL (W3SVC/231245678) STARTED 1.2.2.1 95 N/A
Pish-Posh (W3SVC/901237894) STARTED 3.7.2.1 98 N/A
and so on. I would like to be able to extract this as multi-valued set of fields. I'd like to do that as part of my props.conf/transforms.conf search time extractions, but just experimenting using multikv from the command line to see what I might get isn't giving me what I want. It appears that it's because of the items in "Site Name" that can have spaces in them and multikv does not like spaces.
Maybe this is more than multikv can handle (which is fine), but can I manage to do what I want with props.conf/transforms.conf? The regex for each line would seem fairly straightforward, but it's not clear to me how to define that via props.conf/transforms.conf for search time extraction.
Any help and/or pointers are greatly appreciated.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
01-18-2012
12:32 AM
If you were running this input script on a Linux system, you could use awk to "normalize" the format of the iisweb.vbs /querv output into something that multikv would like better, before you ever input the data into Splunk.
But you can do the same thing with Splunk, too. Assuming that your sourcetype is iis-querv, put the following in your props.conf (on the indexer, not the forwarder)
[iis-querv]
SEDCMD-sed1 = s/(.*)Site Name \(Metabase Path)(.*)/\1SiteName (MetabasePath)\2/g
This should remove the spaces in the heading names. I don't know that this will be enough for multikv to work, as there also appears to be some variations in the rows of the table. But try it.
This is another application of the concepts in the documentation under Anonymize data. HTH!
Get Updates on the Splunk Community!
Security Professional: Sharpen Your Defenses with These .conf25 Sessions
Sooooooooooo, guess what.
.conf25 is almost here, and if you're on the Security Learning Path, this is your ...
First Steps with Splunk SOAR
Our first step was to gather a list of the playbooks we wanted and to sort them by priority. Once this list ...
How To Build a Self-Service Observability Practice with Splunk Observability Cloud
If you’ve read our previous post on self-service observability, you already know what it is and why it ...
