Skip to main content

IIS Search Examples Cheat Sheet

The IIS Search Examples cheat sheet provides examples of useful IIS search queries for different use cases.

The examples use this sample Access log message where applicable:

2015-06-03 00:02:48 GET /myurl dp=mysearch 8200 Windows-RSS-Platform/2.0+(IE+11.0;+Windows+NT+6.2) - - 200 0 0 2583 271 15

Keyword Expressions

Use CaseSumo Logic Query Example
Look for failures or errors with a specific message."ID = 123456" AND (fail* OR error)
Look for errors in sshd logs. AND is assumed. Case insensitive, unless double-quoted.sshd (fail* OR error OR allowed OR identity)
Look for general authorization failures excluding router messages.(fail* OR error?) NOT _source=routers
More Info

For more information, see Keyword Search Expression

Parse, Count, and Top Operators

Use CaseSumo Logic Query Example
Extract "from" and "to" fields using a simple wild card. For example, if a raw event contains "From: Jane To: John", then from=Jane and to=John.`*
Extract IP address using a regex pattern.`*
Identify pages visited, extracted as the "cs_uri_stem" field.`_source=IIS
Identify messages with status code “200” and extract the sc_substatus, sc_win32_status, and sc_bytes fields.`_source=IIS

The following examples assume you used the parsing from above:

Use CaseSumo Logic Query Example
Calculate the total number of bytes transferred to each client IP address.`
Calculate the average size of successful HTTP responses.`
If the "sc_substatus" field is missing don't exclude those messages (nodrop)…otherwise non-matches would be filtered out.`
Calculate the number of times a page has been visited.`
Calculate the total number of pages by client IP addresses.`
Calculate the total number of pages by client IP address, sort them highest to lowest.`
Identify the top 10 pages.`
Identify the top 10 client IP addresses by bandwidth usage.`
Identify the top 100 client IP addresses by number of hits.`
More Info

For more information, see ParsingCount, and Top.

Timeslice and Transpose

Use CaseSumo Logic Query Example
For the host / domain "", count by sc_status with a timeslice of 15m`source=IIS 
Pivot the results so that time is on the X axis and sc_status is on the Y axis (values can be displayed in legend)`
More Info

For more information, see Timeslice and Transpose.

Conditional Operators

Use CaseSumo Logic Query Example
For the source "IIS", find all messages with a client error status code (40*)`_source=IIS 40* 
For the source "IIS/Access", count hits by browser`source=IIS/Access 
Use the where operator to match only weekend days.`*
Identify all URLs that contain the subdirectory "Courses" in the path.`*
Find version numbers that match numeric values 2, 3 or 1. Use the num operator to change the string into a number.`*
More Info

For more information, see Where and If

For any query, you can increase specificity by adding metadata fields to the keyword expression. Metadata fields include _sourceCategory, _sourceHost , and _sourceName. Edit Source metadata in the Collection tab. For details see Search Metadata.