Skip to main content
Sumo Logic

Suggested Searches for the Microsoft IIS Parser

These suggested searches cover some of the most common scenarios for monitoring Security, Audit, and Performance issues on a Linux server. You can enter these queries into the Search box as a starting baseline, and then customize the queries for your system.

These are written assuming the messages are parsed by our out of the box IIS W3C access log parser (i.e. parse using public/iis).

HTTP Status Code Summary Over Time

Returns the number of client errors, server errors, redirects, and successful responses observed each day over the last seven days. This search can be used to understand the distribution of errors vs successful responses and redirects.

  • Suggested Time Range: -7d

_sourceCategory=*IIS*
| parse using public/iis
| if(sc_status matches "2*", 1, 0) as successes
| if(sc_status matches "3*", 1, 0) as redirects
| if(sc_status matches "5*", 1, 0) as server_errors
| if(sc_status matches "4*", 1, 0) as client_errors
| timeslice by 1d
| sum(successes) as successes, sum(redirects) as redirects, sum(client_errors) as client_errors, sum(server_errors) as server_errors by _timeslice

Top 404 URLs

Returns the top 100 URLs that refer to a resource (that doesn't exist on the website). This information can be used to fix existing web pages.

  • Suggested Time Range: -1d

_sourceCategory=*IIS* "404"
| parse using public/iis
| where sc_status matches "404"
| count_frequent cs_uri_stem
| limit 100

Traffic Volume Served Per Day

Returns the number of hits on a website each day over the past 24 hours. If this search is run over a longer period of time (such as two weeks or a month) it may give you a good idea of which days of the week are busier.

  • Suggested Time Range: -7d

_sourceCategory=*IIS*
| parse using public/iis
| timeslice by 1d
| count as hits by _timeslice

Top Browsers

Returns the top 10 browsers accessing the website.

  • Suggested Time Range: -1d

_sourceCategory=*IIS*
| parse using public/iis
| count_frequent cs_user_agent
| limit 10f

Slowest URLs by Average Time

  • Suggested Time Range: -1d

_sourceCategory=*IIS*
| parse using public/iis
| (time_taken/1000) as seconds
| avg(seconds) as avgtimeinseconds by cs_uri_stem
| sort by avgtimeinseconds
| limit 100