Exchange Activesync IIS logs - SEDCMD

drarum · ‎04-22-2011

I'm pulling Exchange Activesync information from our IIS logs on OWA and I want to perform a transform on Apple devices to make readability easier (To allow us to determine which HW/SW version the user is running). It's fairly simple, but I'm new to Splunk and something isn't working quite right.

I created a props.conf file here: $SPLUNK/etc/system/local/props.conf . This file isn't complete, I just filled in a few values for testing, but the search results still show the unmodified logs.

[owa]

SEDCMD-activesync=s/Apple-iPhone3C1/Apple-iPhone4/g

SEDCMD-activesync=s/Apple-iPhone2C1/Apple-iPhone3GS/g

SEDCMD-activesync=s/Apple-iPhone1C2/Apple-iPhone3G/g

For the first transformation, I want to substitute "Apple-iPhone3C1" for "Apple-iPhone4" in the "owa" log.

Thank you.

drarum · ‎04-25-2011

Thanks, I decided to go with the rex/sed searching and conversion. You were right about props.conf. I was supposed to be saving this to the universal forwarder that was indexing the data, but I was saving props.conf on the actual Splunk server after the data had already been indexed.

mslvrstn · ‎04-22-2011

What you are doing there is redefining the same property over and over.
Only the last one will have any effect, although that one should have worked for the 3G.

If you want to apply all of the edits, space separate them in one property, like:

SEDCMD-activesync=s/Apple-iPhone3C1/Apple-iPhone4/g s/Apple-iPhone2C1/Apple-iPhone3GS/g s/Apple-iPhone1C2/Apple-iPhone3G/g

Exchange Activesync IIS logs - SEDCMD

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases