IIS Search Examples Cheat Sheet
The IIS Search Examples cheat sheet provides examples of useful IIS search queries for different use cases.
The examples use this sample Access log message where applicable:
2015-06-03 00:02:48 GET /myurl dp=mysearch 8200 10.1.1.1 Windows-RSS-Platform/2.0+(IE+11.0;+Windows+NT+6.2) - - abcd.com 200 0 0 2583 271 15
Keyword Expressions
| Use Case | Sumo Logic Query Example |
|---|---|
| Look for failures or errors with a specific message. | "ID = 123456" AND (fail* OR error) |
| Look for errors in sshd logs. AND is assumed. Case insensitive, unless double-quoted. | sshd (fail* OR error OR allowed OR identity) |
| Look for general authorization failures excluding router messages. | (fail* OR error?) NOT _source=routers |
More Info
For more information, see Keyword Search Expression
Parse, Count, and Top Operators
| Use Case | Sumo Logic Query Example |
|---|---|
| Extract "from" and "to" fields using a simple wild card. For example, if a raw event contains "From: Jane To: John", then from=Jane and to=John. | `* |
| Extract IP address using a regex pattern. | `* |
| Identify pages visited, extracted as the "cs_uri_stem" field. | `_source=IIS |
| Identify messages with status code “200” and extract the sc_substatus, sc_win32_status, and sc_bytes fields. | `_source=IIS |
The following examples assume you used the parsing from above:
| Use Case | Sumo Logic Query Example |
|---|---|
| Calculate the total number of bytes transferred to each client IP address. | ` |
| Calculate the average size of successful HTTP responses. | ` |
| If the "sc_substatus" field is missing don't exclude those messages (nodrop)…otherwise non-matches would be filtered out. | ` |
| Calculate the number of times a page has been visited. | ` |
| Calculate the total number of pages by client IP addresses. | ` |
| Calculate the total number of pages by client IP address, sort them highest to lowest. | ` |
| Identify the top 10 pages. | ` |
| Identify the top 10 client IP addresses by bandwidth usage. | ` |
| Identify the top 100 client IP addresses by number of hits. | ` |
Timeslice and Transpose
| Use Case | Sumo Logic Query Example |
|---|---|
| For the host / domain "abcd.com", count by sc_status with a timeslice of 15m | `source=IIS |
| Pivot the results so that time is on the X axis and sc_status is on the Y axis (values can be displayed in legend) | ` |
Conditional Operators
| Use Case | Sumo Logic Query Example |
|---|---|
| For the source "IIS", find all messages with a client error status code (40*) | `_source=IIS 40* |
| For the source "IIS/Access", count hits by browser | `source=IIS/Access |
| Use the where operator to match only weekend days. | `* |
| Identify all URLs that contain the subdirectory "Courses" in the path. | `* |
| Find version numbers that match numeric values 2, 3 or 1. Use the num operator to change the string into a number. | `* |
For any query, you can increase specificity by adding metadata fields to the keyword expression. Metadata fields include _sourceCategory,
_sourceHost , and _sourceName. Edit Source metadata in the Collection tab. For details see Search Metadata.