https://community.splunk.com/t5/Getting-Data-In/IIS-Logs-Format-Question/m-p/182405#M36573 <P>Splunk is probably looking for a specific format. Try changing your IIS server to use W3C log format rather than IIS since it is a standard logging format.</P> Thu, 29 May 2014 17:04:17 GMT terridonahue 2014-05-29T17:04:17Z https://community.splunk.com/t5/Getting-Data-In/IIS-Logs-Format-Question/m-p/182404#M36572 <P>I have added some IIS logs to Splunk via the "Files and Directories" input. While I can query the raw data it does not appear that Splunk is recognizing the format of these logs. For example when I query "source="\\xxxxxxxxx\IIS Logs*"" I receive the following results:</P> <P>119.63.193.195, -, 5/21/2014, 23:59:53, W3SVC3, xxxxxxxxx , xx.xx.xx.xx, 187, 144, 2800, 200, 64, GET, /, -,<BR /> date_hour = 23 date_mday = 21 date_minute = 59 date_month = may date_second = 53 date_wday = wednesday date_year = 2014 date_zone = local eventtype = wineventlog-index eventtype = winevents host = xxxxxxx index = main linecount = 1 punct = ...,<EM>-,</EM>//,<EM>::,</EM>,<EM>,</EM>...,<EM>,</EM>,<EM>,</EM>,<EM>,</EM>,<EM>/,</EM>-, source = \xxxxxxxxx\IIS Logs\u_in14052123.log sourcetype = u_in-too_small splunk_server = xxxxxxxxx timeendpos = 38 timestartpos = 19</P> <P>The first part of the result "119.63.193.195" is the client IP that accessed this website. My issue is that splunk is not recognizing this field as the clientip.</P> <P>My logs are in IIS format.</P> <P>What am I doing wrong?</P> <P>Additionally, in the above results, what is "punct = ...,<EM>-,</EM>//,<EM>::,</EM>,<EM>,</EM>...,<EM>,</EM>,<EM>,</EM>,<EM>,</EM>,<EM>/,</EM>-,"?</P> <P>Thank you for your time.</P> Mon, 28 Sep 2020 16:45:09 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-Logs-Format-Question/m-p/182404#M36572 JoshuaThompson 2020-09-28T16:45:09Z https://community.splunk.com/t5/Getting-Data-In/IIS-Logs-Format-Question/m-p/182405#M36573 <P>Splunk is probably looking for a specific format. Try changing your IIS server to use W3C log format rather than IIS since it is a standard logging format.</P> Thu, 29 May 2014 17:04:17 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-Logs-Format-Question/m-p/182405#M36573 terridonahue 2014-05-29T17:04:17Z https://community.splunk.com/t5/Getting-Data-In/IIS-Logs-Format-Question/m-p/182406#M36574 <P>Is there a way that I can tell Splunk the format of my data? Changing the format to W3C helps me going forward but it does not help for the data that has already been indexed.</P> Thu, 29 May 2014 18:32:17 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-Logs-Format-Question/m-p/182406#M36574 JoshuaThompson 2014-05-29T18:32:17Z https://community.splunk.com/t5/Getting-Data-In/IIS-Logs-Format-Question/m-p/182407#M36575 <P>I am looking to see if there is. I am sure it can be designated on the conf file but need to determine what goes there. Also punct is simply the entire line item with everything but punctuation removed. You can use it to find like items. For more info: <A href="http://docs.splunk.com/Splexicon:Punct">http://docs.splunk.com/Splexicon:Punct</A></P> Thu, 29 May 2014 20:59:07 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-Logs-Format-Question/m-p/182407#M36575 terridonahue 2014-05-29T20:59:07Z https://community.splunk.com/t5/Getting-Data-In/IIS-Logs-Format-Question/m-p/182408#M36576 <P>Terridonahue - If you find the answer please let me know. I will do likewise. Thank you for the information on "punct". I do appreciate it.</P> Mon, 02 Jun 2014 19:33:47 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-Logs-Format-Question/m-p/182408#M36576 JoshuaThompson 2014-06-02T19:33:47Z