https://community.splunk.com/t5/Getting-Data-In/How-do-we-configure-continuous-collection-and-indexing-of-IIS/m-p/211468#M41617 <P>I found it by seeing in _internal logs that there are unindexed zip files that are getting ignored<BR /> Fixed the issue by adding blacklist to the input, containing the zip files</P> Tue, 14 Jun 2016 11:20:31 GMT ehudb 2016-06-14T11:20:31Z https://community.splunk.com/t5/Getting-Data-In/How-do-we-configure-continuous-collection-and-indexing-of-IIS/m-p/211462#M41611 <P>I have an issue with IIS logs, being monitored by a Windows heavy forwarder through UNC path. When the forwarder service starts, the IIS logs start to collect, the logs are being indexed correctly. After a while, the logs stop being collected. It's only until a few hours later when they continue again when a new log file is created.</P> <P>The reason we suspected was the IIS log files do not change its modtime, so we tried "alwaysOpenFile" property in inputs.conf, but it made it worse. The logs weren't indexed even after restart of the service.</P> <P>The parsing queue in the forwarder is low on a regular basis. If we use the "alwaysOpenFile, it goes very high, above 90%. All the other queues in the indexer are looking fine (1 indexer only).</P> <P>Any ideas?</P> <P>Thanks, Ehud.</P> Tue, 01 Sep 2015 19:35:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-we-configure-continuous-collection-and-indexing-of-IIS/m-p/211462#M41611 ehudb 2015-09-01T19:35:52Z https://community.splunk.com/t5/Getting-Data-In/How-do-we-configure-continuous-collection-and-indexing-of-IIS/m-p/211463#M41612 <P>I suspect you can find an error message by looking at index=_internal source=splunkd. Could be a socket time out, some limits.conf setting, etc. </P> Tue, 01 Sep 2015 20:08:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-we-configure-continuous-collection-and-indexing-of-IIS/m-p/211463#M41612 jkat54 2015-09-01T20:08:02Z https://community.splunk.com/t5/Getting-Data-In/How-do-we-configure-continuous-collection-and-indexing-of-IIS/m-p/211464#M41613 <P>Using a file mount to with a file monitor is inherently problematic. Problems will arise on connectivity issue, slow/unresponsive file share, or host server busy. </P> Tue, 01 Sep 2015 22:15:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-we-configure-continuous-collection-and-indexing-of-IIS/m-p/211464#M41613 bmacias84 2015-09-01T22:15:39Z https://community.splunk.com/t5/Getting-Data-In/How-do-we-configure-continuous-collection-and-indexing-of-IIS/m-p/211465#M41614 <P>Thanks, it was eventually issued by large zip files that shouldn't by indexed anyway, and caused high queue<BR /> Eventually after removing these files, the logs were indexed correctly on time</P> Thu, 28 Jan 2016 12:29:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-we-configure-continuous-collection-and-indexing-of-IIS/m-p/211465#M41614 ehudb 2016-01-28T12:29:28Z https://community.splunk.com/t5/Getting-Data-In/How-do-we-configure-continuous-collection-and-indexing-of-IIS/m-p/211466#M41615 <P>Hey, how did you find the problem? Others might face this issue and they'll want to know how you diagnosed the issue.</P> <P>Thanks!</P> Sun, 31 Jan 2016 12:02:51 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-we-configure-continuous-collection-and-indexing-of-IIS/m-p/211466#M41615 jkat54 2016-01-31T12:02:51Z https://community.splunk.com/t5/Getting-Data-In/How-do-we-configure-continuous-collection-and-indexing-of-IIS/m-p/211467#M41616 <P>Also, what was the solution? Blacklisting options on the input?</P> Sun, 31 Jan 2016 12:03:48 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-we-configure-continuous-collection-and-indexing-of-IIS/m-p/211467#M41616 jkat54 2016-01-31T12:03:48Z https://community.splunk.com/t5/Getting-Data-In/How-do-we-configure-continuous-collection-and-indexing-of-IIS/m-p/211468#M41617 <P>I found it by seeing in _internal logs that there are unindexed zip files that are getting ignored<BR /> Fixed the issue by adding blacklist to the input, containing the zip files</P> Tue, 14 Jun 2016 11:20:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-we-configure-continuous-collection-and-indexing-of-IIS/m-p/211468#M41617 ehudb 2016-06-14T11:20:31Z