Skip to main content

IIS Search Examples Cheat Sheet

The IIS Search Examples cheat sheet provides examples of useful IIS search queries for different use cases.

The examples use this sample Access log message where applicable:

2015-06-03 00:02:48 GET /myurl dp=mysearch 8200 10.1.1.1 Windows-RSS-Platform/2.0+(IE+11.0;+Windows+NT+6.2) - - abcd.com 200 0 0 2583 271 15

Keyword Expressions​

Use CaseSumo Logic Query Example
Look for failures or errors with a specific message."ID = 123456" AND (fail* OR error)
Look for errors in sshd logs. AND is assumed. Case insensitive, unless double-quoted.sshd (fail* OR error OR allowed OR identity)
Look for general authorization failures excluding router messages.(fail* OR error?) NOT _source=routers
More Info

For more information, see Keyword Search Expressions.

Parse, Count, and Top Operators​

Use CaseSumo Logic Query Example
Extract "from" and "to" fields using a simple wild card. For example, if a raw event contains "From: Jane To: John", then from=Jane and to=John.* | parse "From: * To: *" as from, to
Extract IP address using a regex pattern.* | parse regex 
"(?<c_ip>\d3.\d3.\d3.\d3)"
Identify pages visited, extracted as the "cs_uri_stem" field._source=IIS
| parse "GET * " as cs_uri_stem
Identify messages with status code “200” and extract the sc_substatus, sc_win32_status, and sc_bytes fields._source=IIS
| parse " 200 * * * " as sc_substatus, sc_win32_status, sc_bytes
Examples below assume the parsing used above
Calculate the total number of bytes transferred to each client IP address.| count, sum(sc_bytes) by c_ip
Calculate the average size of successful HTTP responses.| avg(sc_bytes)
If the "sc_substatus" field is missing don’t exclude those messages (nodrop)…otherwise non-matches would be filtered out.| parse " 200 * " as sc_substatus nodrop
Calculate the number of times a page has been visited.| count by cs_uri_stem
Calculate the total number of pages by client IP addresses.| count by c_ip
Calculate the total number of pages by client IP address, sort them highest to lowest.| count by c_ip
| sort by _count desc
Identify the top 10 pages.| count by cs_uri_stem
| top 10 cs_uri_stem by _count
Identify the top 10 client IP addresses by bandwidth usage.| sum(sc_bytes) as total_bytes by c_ip
| top 10 c_ip by total_bytes
Identify the top 100 client IP addresses by number of hits.| count by c_ip
| top 100 c_ip by _count
More Info

For more information, see Parsing, Count, and Top.

Timeslice and Transpose​

Use CaseSumo Logic Query Example
For the host / domain "abcd.com", count by sc_status with a timeslice of 15msource=IIS
| parse "abcd.com * " as sc_status
| timeslice 15m
| count by _timeslice, sc_status
Pivot the results so that time is on the X axis and sc_status is on the Y axis (values can be displayed in legend)| transpose row _timeslice column sc_status
info

For more information, see Timeslice and Transpose.

Conditional Operators​

Use CaseSumo Logic Query Example
For the source "IIS", find all messages with a client error status code (40*)_source=IIS 40*
| parse "abcd.com * " as sc_status
| where sc_status matches "40*"
For the source "IIS/Access", count hits by browsersource=IIS/Access
| parse "* * * * * * * * " as date, time, csmethod, cs_uri_stem, cs_uri_query, s_port, c_ip, cs_UserAgent
| if (cs_UserAgent matches "MSIE",1,0) as ie
| if (cs_UserAgent matches "Firefox",1,0) as firefox
| if (cs_UserAgent matches "Safari",1,0) as safari
| if (cs_UserAgent matches "Chrome",1,0) as chrome
| sum(ie) as ie, sum(firefox) as firefox, sum(safari) as safari, sum(chrome) as chrome
Use the where operator to match only weekend days.* | parse "day=*:" as day_of_week
| where day_of_week in ("Saturday","Sunday")
Identify all URLs that contain the subdirectory "Courses" in the path.* | parse "GET * " as cs_uri_stem
| where cs_uri_stem matches "Courses"
Find version numbers that match numeric values 2, 3 or 6. Use the num operator to change the string into a number.* | parse "Version=*." as number
| num(number) | where number in (2,3,6)
More Info

For more information, see Where and If. 

For any query, you can increase specificity by adding metadata fields to the keyword expression. Metadata fields include _sourceCategory, _sourceHost , and _sourceName. Edit Source metadata in the Collection tab. For details, see Search Metadata.

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.