<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Intermittent Index Time Parsing Issues for IIS events? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Intermittent-Index-Time-Parsing-Issues-for-IIS-events/m-p/629254#M107948</link>
    <description>&lt;P&gt;Hi, I have same issue and no solution&lt;/P&gt;&lt;P&gt;Even trying to use these configs : I have failed to produce anything but garbage , actually it seems they don't even work and they conflict somehow with w3c setting&amp;nbsp;&lt;BR /&gt;&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/Extractfieldsfromfileswithstructureddata" target="_blank" rel="noopener"&gt;https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/Extractfieldsfromfileswithstructureddata&lt;/A&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;what I was hopping was that maybe this setting below would help , but it did not&amp;nbsp;&lt;BR /&gt;&lt;SPAN&gt;FIELD_DELIMITER=\s&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;#iis #ms:iis:auto&lt;/P&gt;</description>
    <pubDate>Wed, 01 Feb 2023 23:42:24 GMT</pubDate>
    <dc:creator>printul77700</dc:creator>
    <dc:date>2023-02-01T23:42:24Z</dc:date>
    <item>
      <title>Intermittent Index Time Parsing Issues for IIS events?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Intermittent-Index-Time-Parsing-Issues-for-IIS-events/m-p/626471#M107618</link>
      <description>&lt;P&gt;I am observing intermittent issues parsing IIS data.&amp;nbsp; Splunk is configured for index time parsing of IIS events on the universal forwarders (INDEXED_EXCTRACTIONS).&amp;nbsp; The extraction works fine for most events, but a small percentage (less than 1%) fail parsing.&lt;/P&gt;
&lt;P&gt;I am detecting the events that fail parsing with the following SPL&lt;BR /&gt;&lt;FONT face="courier new,courier"&gt;index=[IIS INDEXES] sourcetype=iis NOT c_ip=*&lt;/FONT&gt;&lt;/P&gt;
&lt;P&gt;I have noticed an error in the splunkd.log on the universal forwarders that accounts for some of these issues.&lt;BR /&gt;&lt;FONT face="courier new,courier"&gt;04-06-2022 20:08:42.602 -0500 WARN CsvLineBreaker - Parser warning: Encountered unescaped quotation mark in field while parsing. This may cause inaccurate field extractions or corrupt/merged events. - data_source="e:\iis-logs\W3SVC1\u_ex220407.log", data_host="XXXXX", data_sourcetype="iis"&lt;BR /&gt;&lt;/FONT&gt;&lt;SPAN&gt;In these cases, it appears that not only does index time field parsing fail but event breaking fails resulting many events getting lumped into a single event.&amp;nbsp; This may not be avoidable and we’re at least able to point to a cause for these issues but many more are unexplained.&lt;/SPAN&gt;&lt;FONT face="courier new,courier"&gt;&lt;BR /&gt;&lt;/FONT&gt;&lt;/P&gt;
&lt;P&gt;For most of the events that fail parsing the result is a single line event which appears to be formatted correctly but has no indexed fields.&amp;nbsp; I was originally having an issue with these events reporting in the future as well but adding a time zone to props.conf seems to have at least resolved that issue.&lt;/P&gt;
&lt;P&gt;I have upgraded through several versions (8.1.2, 8.2.3, 8.2.7.1) on the Universal forwarders and have seen this issue across all these versions.&lt;/P&gt;
&lt;P&gt;If you have and ideas on what might be causing failures in index time parsing issues for IIS data I would love to hear them.&lt;/P&gt;</description>
      <pubDate>Tue, 10 Jan 2023 18:41:09 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Intermittent-Index-Time-Parsing-Issues-for-IIS-events/m-p/626471#M107618</guid>
      <dc:creator>ericnewman</dc:creator>
      <dc:date>2023-01-10T18:41:09Z</dc:date>
    </item>
    <item>
      <title>Re: Intermittent Index Time Parsing Issues for IIS events?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Intermittent-Index-Time-Parsing-Issues-for-IIS-events/m-p/629254#M107948</link>
      <description>&lt;P&gt;Hi, I have same issue and no solution&lt;/P&gt;&lt;P&gt;Even trying to use these configs : I have failed to produce anything but garbage , actually it seems they don't even work and they conflict somehow with w3c setting&amp;nbsp;&lt;BR /&gt;&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/Extractfieldsfromfileswithstructureddata" target="_blank" rel="noopener"&gt;https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/Extractfieldsfromfileswithstructureddata&lt;/A&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;what I was hopping was that maybe this setting below would help , but it did not&amp;nbsp;&lt;BR /&gt;&lt;SPAN&gt;FIELD_DELIMITER=\s&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;#iis #ms:iis:auto&lt;/P&gt;</description>
      <pubDate>Wed, 01 Feb 2023 23:42:24 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Intermittent-Index-Time-Parsing-Issues-for-IIS-events/m-p/629254#M107948</guid>
      <dc:creator>printul77700</dc:creator>
      <dc:date>2023-02-01T23:42:24Z</dc:date>
    </item>
    <item>
      <title>Re: Intermittent Index Time Parsing Issues for IIS events?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Intermittent-Index-Time-Parsing-Issues-for-IIS-events/m-p/629256#M107950</link>
      <description>&lt;P&gt;update: actually I see that using next setting is solving the issue apparently, but I find it uncontrollable , I am not sure if and how the backtick or whatever I decide to add there will appear and break other things, so as I have little amount of events with this issue I am choosing not to go further ...&lt;BR /&gt;&amp;nbsp;&lt;SPAN&gt;FIELD_QUOTE=` ( so instead of " which is maybe some default&amp;nbsp; &amp;nbsp;-&amp;nbsp;Specifies the character to use for quotes in the specified file or source. You can specify special characters in this attribute. )&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 01 Feb 2023 23:53:53 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Intermittent-Index-Time-Parsing-Issues-for-IIS-events/m-p/629256#M107950</guid>
      <dc:creator>printul77700</dc:creator>
      <dc:date>2023-02-01T23:53:53Z</dc:date>
    </item>
  </channel>
</rss>

