Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- matching fixed width fields or fields with spaces ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
matching fixed width fields or fields with spaces from scripted input
I'm attempting to pull in data from iisweb.vbs /querv ia a scripted input. On Windows this will show a table of the status of each IIS site including a mapping from the crazy W3SVC directory name and the actual site. Example output that the scripted input is sticking into my index is something like
C:\WINDOWS\system32>C:\WINDOWS\System32\iisweb.vbs /query
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Connecting to server ...Done.
Site Name (Metabase Path) Status IP Port Host
==============================================================================
foo.bar.com (W3SVC/12345678) STARTED 1.2.3.4 80 foo.bar.com
fiz.bar.com (W3SVC/23456789) STOPPED 2.3.4.5 81 fiz.bar.com
test.bar.com (W3SVC/34567890) STARTED 3.4.5.6 90 N/A
Blaz Redirect to SSL (W3SVC/231245678) STARTED 1.2.2.1 95 N/A
Pish-Posh (W3SVC/901237894) STARTED 3.7.2.1 98 N/A
and so on. I would like to be able to extract this as multi-valued set of fields. I'd like to do that as part of my props.conf/transforms.conf search time extractions, but just experimenting using multikv from the command line to see what I might get isn't giving me what I want. It appears that it's because of the items in "Site Name" that can have spaces in them and multikv does not like spaces.
Maybe this is more than multikv can handle (which is fine), but can I manage to do what I want with props.conf/transforms.conf? The regex for each line would seem fairly straightforward, but it's not clear to me how to define that via props.conf/transforms.conf for search time extraction.
Any help and/or pointers are greatly appreciated.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you were running this input script on a Linux system, you could use awk to "normalize" the format of the iisweb.vbs /querv output into something that multikv would like better, before you ever input the data into Splunk.
But you can do the same thing with Splunk, too. Assuming that your sourcetype is iis-querv, put the following in your props.conf (on the indexer, not the forwarder)
[iis-querv]
SEDCMD-sed1 = s/(.*)Site Name \(Metabase Path)(.*)/\1SiteName (MetabasePath)\2/g
This should remove the spaces in the heading names. I don't know that this will be enough for multikv to work, as there also appears to be some variations in the rows of the table. But try it.
This is another application of the concepts in the documentation under Anonymize data. HTH!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
