if [type] == 'IIS_CAS_requests' {
  grok {
   match => ['cs-uri-query', '(?:Cmd=%{WORD:as-CMD}&)?(?:%{DATA}&)*(?:DeviceType=%{NOTSPACE:as-DEV})?&%{GREEDYDATA:uri-as-remainder}']
}
  date {
    match => ["timestamp", "yyyy-MM-dd HH:mm:ss"]
  }
  geoip {
    source => "c-ip"
  }    
}