Refine your search:

matching fixed width fields or fields with spaces from scripted input

0

I'm attempting to pull in data from iisweb.vbs /querv ia a scripted input. On Windows this will show a table of the status of each IIS site including a mapping from the crazy W3SVC directory name and the actual site. Example output that the scripted input is sticking into my index is something like

C:\WINDOWS\system32>C:\WINDOWS\System32\iisweb.vbs /query 
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Connecting to server ...Done.
Site Name (Metabase Path)                     Status  IP              Port  Host
==============================================================================
foo.bar.com (W3SVC/12345678)                  STARTED 1.2.3.4         80    foo.bar.com
fiz.bar.com (W3SVC/23456789)                  STOPPED 2.3.4.5         81    fiz.bar.com
test.bar.com (W3SVC/34567890)                 STARTED 3.4.5.6         90    N/A
Blaz Redirect to SSL (W3SVC/231245678)        STARTED 1.2.2.1         95    N/A
Pish-Posh (W3SVC/901237894)                   STARTED 3.7.2.1         98    N/A

and so on. I would like to be able to extract this as multi-valued set of fields. I'd like to do that as part of my props.conf/transforms.conf search time extractions, but just experimenting using multikv from the command line to see what I might get isn't giving me what I want. It appears that it's because of the items in "Site Name" that can have spaces in them and multikv does not like spaces.

Maybe this is more than multikv can handle (which is fine), but can I manage to do what I want with props.conf/transforms.conf? The regex for each line would seem fairly straightforward, but it's not clear to me how to define that via props.conf/transforms.conf for search time extraction.

Any help and/or pointers are greatly appreciated.

Thanks

asked 17 Jan, 20:07

mfrost8's gravatar image

mfrost8
4342115
accept rate: 46%

One Answer:
oldestnewestmost voted
0

If you were running this input script on a Linux system, you could use awk to "normalize" the format of the iisweb.vbs /querv output into something that multikv would like better, before you ever input the data into Splunk.

But you can do the same thing with Splunk, too. Assuming that your sourcetype is iis-querv, put the following in your props.conf (on the indexer, not the forwarder)

[iis-querv]
SEDCMD-sed1 = s/(.*)Site Name \(Metabase Path)(.*)/\1SiteName (MetabasePath)\2/g

This should remove the spaces in the heading names. I don't know that this will be enough for multikv to work, as there also appears to be some variations in the rows of the table. But try it.

This is another application of the concepts in the documentation under Anonymize data. HTH!

link

answered 18 Jan, 00:32

lguinn's gravatar image

lguinn ♦
3.1k216
accept rate: 24%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×352
×26

Asked: 17 Jan, 20:07

Seen: 309 times

Last updated: 18 Jan, 00:32

Related questions

How to stop automatic field extraction from creating separate fields for each case variant on the same field name

Adding a field extraction causes other fields to disappear

Field extraction with duplicate values in fields

define custom fixed fields

Automatic field extraction not extracting all the fields from a particular event

multikv field extraction

Field extraction on post multikv field?

Having trouble setting up delims-based field extraction, fields are not showing up

Copyright © 2005-2012 Splunk, Inc. All rights reserved.