Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Searching for "-" in IIS logs?

DaClyde
Contributor
‎02-16-2024 07:14 AM

In Microsoft IIS logs, when a field is empty, a dash ( - ) is used instead of leaving the value blank.  Presumably this is because IIS logs are space delimited, so otherwise it would just have three consecutive spaces which might be ignored.  However, even though there is something in the field, I can't search for something like cs_username="-" and get any results.  Is this something Splunk is doing, where it is treating the dash as a NULL? 

I have a dashboard where I track HTTP errors by cs_username, but when the username is not present, I can't drill down on the dash, I can only drill down on actual username values.  Is there a way to make the dash an active, drillable value?  I tried this but it didn't work:

| fillnull value="-" cs_username

How can I search the cs_username field when the value is a dash?

Labels (2)
Labels
0 Karma
Reply

rafamss
Contributor
‎02-16-2024 09:39 AM

As @PickleRick replied, you can avoid this just by using the EVAL or applying filters to look for everything different from null or blank.

You can also, create a field extraction using Regex to avoid situations like this, for example:

| rex field=_raw cs_username="(?<cs_username>.+?)\"\s

 

 https://regex101.com/r/f6booK/1

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-20-2024 01:19 PM

To be precise, I didn't suggest using evals. This eval is already defined within the TA and it's the reason why the field is empty.

0 Karma
Reply

DaClyde
Contributor
‎02-20-2024 07:47 AM

I will try both approaches today and see what happens.  Thanks for the suggestions!

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-16-2024 08:47 AM

It is deliberately set this way by the IIS TA.

EVAL-user = if(cs_username == "-", null(), cs_username)

So it's not that Splunk doesn't find it, it's just that the field is set to empty value when there is nothing there.

Looking for

cs_username!=*

or

NOT cs_username=*

(these are not equivalent in general but in this case both can be used)

Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...