topic Re: Why after switching from HF to UF, MSWindows:2012:IIS event no longer parses correctly? in Splunk Enterprise

Why after switching from HF to UF, MSWindows:2012:IIS event no longer parses correctly?

gitingua — Thu, 07 Apr 2022 15:36:32 GMT

Hello colleagues. we recently switched from Splunk HF to UF. before this event with sourcetype = MSWindows:2012:IIS. parsed normal but after installation, something went wrong. and events in the spanner do not take all the fields from the logs

Re: Why after switching from HF to UF, MSWindows:2012:IIS event no longer parses correctly?

VatsalJagani — Thu, 07 Apr 2022 16:42:21 GMT

@gitingua - If you are using the https://docs.splunk.com/Documentation/AddOns/released/MSIIS/Install Add-on for collecting and parsing the IIS logs then with UF Add-on requires to be installed on Indexers.

(I'm assuming UF is sending data directly to Indexers.)

I hope this helps, if it does consider upvoting!!!

Re: Why after switching from HF to UF, MSWindows:2012:IIS event no longer parses correctly?

gitingua — Fri, 08 Apr 2022 08:10:26 GMT

@VatsalJagani Hi. We use the app https://splunkbase.splunk.com/app/3225/
The problem is that there is a sourcetype=MSWindows:2012:IIS

But it is not described in the props file, it does not parse events, do you think need to change the application?

Re: Why after switching from HF to UF, MSWindows:2012:IIS event no longer parses correctly?

VatsalJagani — Fri, 08 Apr 2022 08:31:35 GMT

@gitingua - I would install the Add-on on Indexers still because it seems like Add-on definitely has some parsing configuration. Make sure to put Add-on on the UF as well.

(I'm assuming your UF is sending logs to Indexer directly.)