I have some searches that do not appear to be enhancing properly using the asset_lookup_by_str lookup table. In this case, I'll use dvc, but it appears to be similar with the others like dest as well. I run a search, the enhancements don't seem to be happening. If I run a search using the lookup it works sometimes. I'll give a few examples Search 1: index=windows | lookup asset_lookup_by_str asset AS dvc OUTPUTNEW domain AS AAAAA  Result 1: I get AAAAA to have only 1 of our 5 domains Search 2:  index=windows host=[hostname] | lookup asset_lookup_by_str asset AS dvc OUTPUTNEW domain AS AAAAA  Result 2: AAAAA doesn't show up . Search 3:  | inputlookup asset_lookup_by_str Result 3: The lookup table appears to be filled in nicely. Including the domains missing from search 1. Search 4:  | inputlookup asset_lookup_by_str | search asset=[host] Result 4: The host searched in Search 2 is in the lookup table.  Based on this, I'd say not only should Search 2 have worked, but Search 1 should have had more results, and the automatic lookup as a whole should be working. Any ideas what could be happening? My only thought is maybe some sort of priority order that is overriding the enhancement feature. But that wouldn't explain it not working in the specific search.    ... View more

I have a sourcetype the provides results for dst if it has one result or dst{} with multiple results. I am attempting to get this into a data model to be used; however I can't get dst{} to work. dst=dest works just fine, but dst{}=dest does not work. When doing dst{}= (IP address), the search works just fine. So I know it doesn't have an issue finding the information. I am missing something for what is needed to make it work within a data model. After researching for a couple days and failing, I thought I'd ask the community for their knowledge. ... View more

I'm trying to extract fields out of the winevent IIS logs. My regex works in regex101 perfectly. Also I can do something very similar with the rex command, so I feel like the regex should be ok. Here is the regex: Message=.*s-sitename\s(?<s_sitename>\w+)\ss-computername\s(?<s_computername>\w+)\ss-ip\s(?<s_ip>\d+\.\d+\.\d+\.\d+|\-)\scs-method\s(?<cs_method>\w+)\scs-uri-stem\s(?<cs_uri_stem>.*)\scs-uri-query\s(?<cs_uri_query>.*)\ss-port\s(?<s_port>.*)\scs-username\s(?<cs_username>.*)\sc-ip\s(?<c_ip>.*)\scs-version\s(?<cs_version>.*)\scs\(User-Agent\)\s(?<cs_User_Agent>.*)\scs\(Cookie\)\s(?<cs_Cookie>.*)\scs\(Referer\)\s(?<cs_Referer>.*)\scs-host\s(?<cs_host>.*)\ssc-status\s(?<sc_status>.*)\ssc-substatus\s(?<sc_substatus>.*)\ssc-win32-status\s(?<sc_win32_status>.*)\ssc-bytes\s(?<sc_bytes>.*)\scs-bytes\s(?<cs_bytes>.*)\stime\-taken\s(?<time_taken>\d+)\s(?<additional_info_1>.*)\s(?:x-forwarded-for|X-Forwarded-For) (?<x_forwarded_for>\d+\.\d+\.\d+\.\d+|\-)\s(?<additional_info_2>.*) An example that I'm trying to match to with data changed obviously: Message=date 2021-07-26 time 11:40:00 s-sitename XXX1 s-computername Name1 s-ip 0.0.0.0 cs-method GET cs-uri-stem /xxx/xx.dll cs-uri-query - s-port 000 cs-username - c-ip 000.0.0. cs-version HTTP/1.1 cs(User-Agent) AGENT cs(Cookie) - cs(Referer) - cs-host host sc-status 300 sc-substatus 0 sc-win32-status 0 sc-bytes 000 cs-bytes 000 time-taken 000 Connection Keep-Alive Warning - HTTP_CONNECTION Keep-Alive WORD - X-Forwarded-For 00.00.000.0 X-SSL-Client-Cert - HTTP_USER_AGENT AGENT User-Agent AGENT Authorization - Content-Type - Unfortunately, when I put the regex in the "New Field Extraction" not a single field shows up. Appreciate any help in either the regex, or maybe I'm just doing it wrong somehow. ... View more