https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-IIS-Web-logs-from-Splunk-Add-on-for-AWS-with-Splunk/m-p/375960#M45593 <P>I have IIS web logs in an index where the sourcetype = aws:s3 and source=s3://my_aws_logs/webserver/logs/random_num.log </P> <P>I need to parse this source with the Splunk Add-on for Microsoft IIS to search thru loads of web server logs.</P> <P>Please advise next steps or how I might parse these logs.</P> <P>Thank you</P> Tue, 29 Sep 2020 19:22:08 GMT Log_wrangler 2020-09-29T19:22:08Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-IIS-Web-logs-from-Splunk-Add-on-for-AWS-with-Splunk/m-p/375960#M45593 <P>I have IIS web logs in an index where the sourcetype = aws:s3 and source=s3://my_aws_logs/webserver/logs/random_num.log </P> <P>I need to parse this source with the Splunk Add-on for Microsoft IIS to search thru loads of web server logs.</P> <P>Please advise next steps or how I might parse these logs.</P> <P>Thank you</P> Tue, 29 Sep 2020 19:22:08 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-IIS-Web-logs-from-Splunk-Add-on-for-AWS-with-Splunk/m-p/375960#M45593 Log_wrangler 2020-09-29T19:22:08Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-IIS-Web-logs-from-Splunk-Add-on-for-AWS-with-Splunk/m-p/375961#M45594 <OL> <LI>Download and install the <A href="https://splunkbase.splunk.com/app/3185/" target="_blank">Splunk Add-on for Microsoft IIS</A>.</LI> <LI>Create a folder named <CODE>local</CODE> in $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis</LI> <LI>Copy the props.conf file from default to local</LI> <LI>Edit the local/props.conf file and rename [ms:iis:default] to [source::s3://my_aws_logs/webserver/logs/random_num.log]</LI> <LI>Restart Splunk</LI> </OL> <P>Note: you can wildcard the [source:: stanza if you have multiple sources.</P> <P>Basically, the steps above are adding search-time knowledge to your indexed data. You may need to modify transforms.conf if the file names are not matching. Here is the documentation on that -&gt; <A href="http://docs.splunk.com/Documentation/AddOns/released/MSIIS/Configuretransforms" target="_blank">http://docs.splunk.com/Documentation/AddOns/released/MSIIS/Configuretransforms</A></P> Tue, 29 Sep 2020 19:22:16 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-IIS-Web-logs-from-Splunk-Add-on-for-AWS-with-Splunk/m-p/375961#M45594 jconger 2020-09-29T19:22:16Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-IIS-Web-logs-from-Splunk-Add-on-for-AWS-with-Splunk/m-p/375962#M45595 <P>Thank you I will test it and let you know.</P> Mon, 07 May 2018 18:47:31 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-IIS-Web-logs-from-Splunk-Add-on-for-AWS-with-Splunk/m-p/375962#M45595 Log_wrangler 2018-05-07T18:47:31Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-IIS-Web-logs-from-Splunk-Add-on-for-AWS-with-Splunk/m-p/375963#M45596 <P>I tried your suggestion but I am not seeing the fields parse out differently. Do you think I need to override the aws:s3 sourcetype and change it to ms iis sourcetype? </P> <P>thanks</P> Wed, 09 May 2018 15:51:10 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-IIS-Web-logs-from-Splunk-Add-on-for-AWS-with-Splunk/m-p/375963#M45596 Log_wrangler 2018-05-09T15:51:10Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-IIS-Web-logs-from-Splunk-Add-on-for-AWS-with-Splunk/m-p/375964#M45597 <P>Looks like there was an ID10T error causing it not to work, but it does now, thx</P> Fri, 11 May 2018 14:26:26 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-parse-IIS-Web-logs-from-Splunk-Add-on-for-AWS-with-Splunk/m-p/375964#M45597 Log_wrangler 2018-05-11T14:26:26Z