https://community.splunk.com/t5/Getting-Data-In/IIS-Sourcetype/m-p/58672#M11541 <P>There is a work around if you choose not to re-index the log files. You can create a new eventtype that includes all the different iis sourcetypes. Then create a new iisFieldExtraction stanza in transforms.conf file that will be use in the props.conf to do search time field extractions.</P> <P>Hope that makes sense. If not, here are some more details:</P> <P>Create a new eventtype called "iislogs" using the following query:</P> <PRE><CODE>sourcetype=*_iislogs OR sourcetype=iis* </CODE></PRE> <P>"iis*" is used in case your indexer appends a -1 or -2 to your iis sourcetypes. I don't know why that's the case. It's suppose to have stopped doing that since version 4, but mine at version 4.2.4 is still doing it.</P> <P>Anyway, now you have to add the following in transforms.conf file to define a generic field extraction information for your *_iislogs sourcetypes. </P> <PRE><CODE>[delimExtractionsIIS] FIELDS="date","time","s-sitename","s-computername","s-ip","cs-method","cs-uri-stem","cs-uri-query","s-port","cs-username","c-ip","cs-version","cs-user-agent","cs-Cookie","cs-referer","cs-host","sc-status","sc-substatus","sc-win32-status","sc-bytes","cs-bytes","time-taken" DELIMS = " " </CODE></PRE> <P>Now, create a [servername_iislogs] stanza for all the iislogs sourcetypes in props.conf that looks like the following:</P> <PRE><CODE>[server1_iislogs] REPORT-iislogs = delimExtractionsIIS [server2_iislogs] REPORT-iislogs = delimExtractionsIIS </CODE></PRE> <P>If the path to the iis log files on all the servers are identical, you can also use just a single "source" stanza for all the servers. For example, if all your iis log files are stored on d:\logs\iislogs you can just use the following:</P> <PRE><CODE>[source::...\\logs\\iislogs\\...\\ex*.log] REPORT-iislogs = delimExtractionsIIS </CODE></PRE> <P>From now on, all your IIS related queries must begin with <CODE>eventtype=iislogs</CODE>.</P> <P>example: <CODE>eventtype=iislogs | table s-ip, c-ip</CODE></P> Thu, 26 Jan 2012 22:27:07 GMT williamche 2012-01-26T22:27:07Z https://community.splunk.com/t5/Getting-Data-In/IIS-Sourcetype/m-p/58671#M11540 <P>I have several IIS servers forwarding over logs using the universal forwarder. I modified the inputs.conf on each server creating a custom sourcetype of servername_iislogs. The logs aren't parsing and I found out if I had set the sourcetype to IIS they would be. If these logs are already indexed will I have to delete and re-index them with the sourcetype set to IIS in order for them to be parsed correctly?</P> Thu, 26 Jan 2012 19:39:22 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-Sourcetype/m-p/58671#M11540 Boell 2012-01-26T19:39:22Z https://community.splunk.com/t5/Getting-Data-In/IIS-Sourcetype/m-p/58672#M11541 <P>There is a work around if you choose not to re-index the log files. You can create a new eventtype that includes all the different iis sourcetypes. Then create a new iisFieldExtraction stanza in transforms.conf file that will be use in the props.conf to do search time field extractions.</P> <P>Hope that makes sense. If not, here are some more details:</P> <P>Create a new eventtype called "iislogs" using the following query:</P> <PRE><CODE>sourcetype=*_iislogs OR sourcetype=iis* </CODE></PRE> <P>"iis*" is used in case your indexer appends a -1 or -2 to your iis sourcetypes. I don't know why that's the case. It's suppose to have stopped doing that since version 4, but mine at version 4.2.4 is still doing it.</P> <P>Anyway, now you have to add the following in transforms.conf file to define a generic field extraction information for your *_iislogs sourcetypes. </P> <PRE><CODE>[delimExtractionsIIS] FIELDS="date","time","s-sitename","s-computername","s-ip","cs-method","cs-uri-stem","cs-uri-query","s-port","cs-username","c-ip","cs-version","cs-user-agent","cs-Cookie","cs-referer","cs-host","sc-status","sc-substatus","sc-win32-status","sc-bytes","cs-bytes","time-taken" DELIMS = " " </CODE></PRE> <P>Now, create a [servername_iislogs] stanza for all the iislogs sourcetypes in props.conf that looks like the following:</P> <PRE><CODE>[server1_iislogs] REPORT-iislogs = delimExtractionsIIS [server2_iislogs] REPORT-iislogs = delimExtractionsIIS </CODE></PRE> <P>If the path to the iis log files on all the servers are identical, you can also use just a single "source" stanza for all the servers. For example, if all your iis log files are stored on d:\logs\iislogs you can just use the following:</P> <PRE><CODE>[source::...\\logs\\iislogs\\...\\ex*.log] REPORT-iislogs = delimExtractionsIIS </CODE></PRE> <P>From now on, all your IIS related queries must begin with <CODE>eventtype=iislogs</CODE>.</P> <P>example: <CODE>eventtype=iislogs | table s-ip, c-ip</CODE></P> Thu, 26 Jan 2012 22:27:07 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-Sourcetype/m-p/58672#M11541 williamche 2012-01-26T22:27:07Z https://community.splunk.com/t5/Getting-Data-In/IIS-Sourcetype/m-p/58673#M11542 <P>This worked, Thanks!!</P> Tue, 31 Jan 2012 16:34:40 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-Sourcetype/m-p/58673#M11542 Boell 2012-01-31T16:34:40Z https://community.splunk.com/t5/Getting-Data-In/IIS-Sourcetype/m-p/58674#M11543 <P>OMG! That is truely amazing! Thank you for putting the work in to this.</P> Tue, 05 Jun 2012 21:00:16 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-Sourcetype/m-p/58674#M11543 treinke 2012-06-05T21:00:16Z