Hi jbjerke,
Thanks for reply. I have added ms:iis:auto sourcetype configuration in props.conf file (in local folder) and eventtype definition configuration also updated in eventtype.conf file. But session data is not fetching in any of the dashboards. Also I have noticed this issue for other inbuilt (apache:access) sourcetype as well.
ms:iis:auto sourcetype configuration in props.conf
[ms:iis:auto]
EXTRACT-http_referer_domain = https?:\/\/(?[^/]+) in cs_Referer
EVAL-http_referer = if(isnull(cs_Referer),"-",cs_Referer)
FIELDALIAS-cs_username = cs_username as user
FIELDALIAS-cs_User_Agent = cs_User_Agent as http_user_agent,cs_User_Agent_ as http_user_agent
FIELDALIAS-cs_uri_stem = cs_uri_stem as uri_path
FIELDALIAS-cs_uri_query = cs_uri_query as uri_query
FIELDALIAS-TimeTakenMS = TimeTakenMS as duration, TimeTakenMS as response_time, time_taken as duration, time_taken as response_time
FIELDALIAS-sc_status = sc_status as status
FIELDALIAS-s_sitename = s_sitename as site
FIELDALIAS-s_ip = s_ip as dest_ip, s_ip as dest, s_ip as dvc
FIELDALIAS-s_port = s_port as http_port, s_port as dest_port, s_port as port
FIELDALIAS-s_computername = s_computername as host
FIELDALIAS-RequestsPerSecond = RequestsPerSecond as hits_per_second
FIELDALIAS-cs_Referer = cs_Referer as http_referrer, cs_Referer_ as http_referrer, cs_Referer as http_referer, cs_Referer_ as http_referer
FIELDALIAS-cs_method = cs_method as http_method
FIELDALIAS-cs_Cookie = cs_Cookie as cookie, cs_Cookie_ as cookie
FIELDALIAS-c_ip = c_ip as src_ip, c_ip as src
FIELDALIAS-sc_bytes = sc_bytes as bytes_out
FIELDALIAS-cs_bytes = cs_bytes as bytes_in
EXTRACT-file = .*/ in cs_uri_stem
EXTRACT-file = (?\w+(?:.\w+)+$) in cs_uri_stem
Global properties, applied to all sourcetypes for the app
EXTRACT-http_locale = (?i)^(?:[^;\n]*;){3}\s+(?P[a-z]{2}(|[-][a-z]{2}));
EVAL-file = if(match(file,"."),file,NULL)
EVAL-http_channel = if(http_referer="-","Direct", if(like(http_referer_domain,"%".site."%","Direct", if(isnull(http_channel), "Referal", http_channel)))
EVAL-http_referer_domain = replace(http_referer_domain, "http(s|):\/\/", "")
EVAL-http_referer_hostname = replace(replace(replace(http_referer_domain, "http(s|):\/\/", ""), "^(www|m|uk|r|l|tpc|lm).+", ""), "(.{1}[a-zA-Z]+)", "")
EVAL-user = md5(clientip."".http_user_agent)
LOOKUP-2_Channels = WA_channels Hostname AS http_referer_hostname OUTPUT Channel AS http_channel
LOOKUP-site = WA_settings source AS source host AS host OUTPUTNEW value AS site
eventtype definition configuration in eventtypes.conf file
[web-traffic]
search = sourcetype="aws:cloudfront:accesslogs" OR sourcetype="apache:access" OR sourcetype="iis" OR sourcetype="ms:iis:auto" OR sourcetype="access_combined" OR sourcetype="access_common" OR sourcetype="access_combined_wcookie"
Regards,
Selva
... View more