IIS Search Examples Cheat Sheet
The IIS Search Examples cheat sheet provides examples of useful IIS search queries for different use cases.
The examples use this sample Access log message where applicable:
2015-06-03 00:02:48 GET /myurl dp=mysearch 8200 10.1.1.1 Windows-RSS-Platform/2.0+(IE+11.0;+Windows+NT+6.2) - - abcd.com 200 0 0 2583 271 15
Keyword Expressions
| Use Case | Sumo Logic Query Example |
|---|---|
| Look for failures or errors with a specific message. | "ID = 123456" AND (fail* OR error) |
| Look for errors in sshd logs. AND is assumed. Case insensitive, unless double-quoted. | sshd (fail* OR error OR allowed OR identity) |
| Look for general authorization failures excluding router messages. | (fail* OR error?) NOT _source=routers |
More Info
For more information, see Keyword Search Expression
Parse, Count, and Top Operators
| Use Case | Sumo Logic Query Example |
|---|---|
| Extract "from" and "to" fields using a simple wild card. For example, if a raw event contains "From: Jane To: John", then from=Jane and to=John. `* | parse "From: To: " as from, to` |
| Extract IP address using a regex pattern. | `* |
| Identify pages visited, extracted as the "cs_uri_stem" field. | `_source=IIS |
| Identify messages with status code “200” and extract the sc_substatus, sc_win32_status, and sc_bytes fields. | `_source=IIS |
The following examples assume you used the parsing from above:
| Use Case | Sumo Logic Query Example |
|---|---|
| Calculate the total number of bytes transferred to each client IP address. | | count, sum(sc_bytes) by c_ip |
| Calculate the average size of successful HTTP responses. | | avg(sc_bytes) |
| If the "sc_substatus" field is missing don't exclude those messages (nodrop)…otherwise non-matches would be filtered out. | | parse " 200 * " as sc_substatusnodrop |
| Calculate the number of times a page has been visited. | | count by cs_uri_stem |
| Calculate the total number of pages by client IP addresses. | | count by c_ip |
| Calculate the total number of pages by client IP address, sort them highest to lowest. | | count by c_ip | sort by _countdesc |
| Identify the top 10 pages. | | count by cs_uri_stem | top 10 cs_uri_stem by _count |
| Identify the top 10 client IP addresses by bandwidth usage. | | sum(sc_bytes) as total_bytes by c_ip | top 10 c_ip by total_bytes |
| Identify the top 100 client IP addresses by number of hits. | | count by c_ip | top 100 c_ip by _count |
Timeslice and Transpose
| Use Case | Sumo Logic Query Example |
|---|---|
| For the host / domain "abcd.com", count by sc_status with a timeslice of 15m | source=IIS | parse "abcd.com * " as sc_status | timeslice 15m | count by _timeslice, sc_status |
| Pivot the results so that time is on the X axis and sc_status is on the Y axis (values can be displayed in legend) | | transpose row _timeslice column sc_status |
Conditional Operators
| Use Case | Sumo Logic Query Example |
|---|---|
| For the source "IIS", find all messages with a client error status code (40*) | _source=IIS 40* ` |
| For the source "IIS/Access", count hits by browser | `source=IIS/Access |
| Use the where operator to match only weekend days. | `* |
| Identify all URLs that contain the subdirectory "Courses" in the path. | `* |
| Find version numbers that match numeric values 2, 3 or 1. Use the num operator to change the string into a number. | `* |
For any query, you can increase specificity by adding metadata fields to the keyword expression. Metadata fields include _sourceCategory,
_sourceHost , and _sourceName. Edit Source metadata in the Collection tab. For details see Search Metadata.
