https://community.splunk.com/t5/Getting-Data-In/Windows-IIS-logs-not-formatting-correctly-hostname-problem/m-p/433379#M75752 <P>Your inputs.conf settings are fine. You'll want to take a look at the <STRONG>./Splunk_TA_microsoft-iis/default/props.conf</STRONG> file on your search head. There's a bunch of over-ambitious FIELDALIAS commands there, and depending on exactly what fields you're logging from IIS, those FIELDALIAS commands can jack-up your field extractions.</P> <P>I recommend commenting out this one:</P> <PRE><CODE>FIELDALIAS-s_computername = s_computername as host </CODE></PRE> <P>And either do a debug/refresh on your search head, or just restart the search head if that won't bum people out.</P> Tue, 29 Sep 2020 23:44:54 GMT gpullis 2020-09-29T23:44:54Z https://community.splunk.com/t5/Getting-Data-In/Windows-IIS-logs-not-formatting-correctly-hostname-problem/m-p/433377#M75750 <P>So bringing in some IIS logs from a few windows servers... seemed pretty simple. Installed the add-on for Micrsoft IIS which gave me a few new sourcetypes to use.</P> <P>My inputs.conf reads (star.log is actually *.log):<BR /> [monitor://C:\inetpub\logs\LogFiles\W3SVC1\star.log] <BR /> index = iis<BR /> sourcetype = ms:iis:default<BR /> disabled = false</P> <P>Event break are all chopped up. I looked at the source data from the IIS server and it looks like this (see image)</P> <P>I also noticed that the hostname is coming in as "cs-method" and not the actual hostname. This server is sending in other logs from the splunk forwarder just fine, with the correct hostname.</P> <P>Any pointers? Struggling here.</P> <P>Thanks!</P> <P>Joe</P> <P>Splunk Enterprise v6.5.0</P> Thu, 31 May 2018 20:50:58 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-IIS-logs-not-formatting-correctly-hostname-problem/m-p/433377#M75750 joesrepsol 2018-05-31T20:50:58Z https://community.splunk.com/t5/Getting-Data-In/Windows-IIS-logs-not-formatting-correctly-hostname-problem/m-p/433378#M75751 <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5107i725FDB31EA04C770/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Thu, 31 May 2018 21:49:15 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-IIS-logs-not-formatting-correctly-hostname-problem/m-p/433378#M75751 joesrepsol 2018-05-31T21:49:15Z https://community.splunk.com/t5/Getting-Data-In/Windows-IIS-logs-not-formatting-correctly-hostname-problem/m-p/433379#M75752 <P>Your inputs.conf settings are fine. You'll want to take a look at the <STRONG>./Splunk_TA_microsoft-iis/default/props.conf</STRONG> file on your search head. There's a bunch of over-ambitious FIELDALIAS commands there, and depending on exactly what fields you're logging from IIS, those FIELDALIAS commands can jack-up your field extractions.</P> <P>I recommend commenting out this one:</P> <PRE><CODE>FIELDALIAS-s_computername = s_computername as host </CODE></PRE> <P>And either do a debug/refresh on your search head, or just restart the search head if that won't bum people out.</P> Tue, 29 Sep 2020 23:44:54 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-IIS-logs-not-formatting-correctly-hostname-problem/m-p/433379#M75752 gpullis 2020-09-29T23:44:54Z https://community.splunk.com/t5/Getting-Data-In/Windows-IIS-logs-not-formatting-correctly-hostname-problem/m-p/433380#M75753 <P>Once you've figured out which FIELDALIAS commands are the problem, you can actually override them in a ./Splunk_TA_microsoft-iis/local/props.conf file by setting them equal to nothing, like:</P> <PRE><CODE>FIELDALIAS-s_computername = </CODE></PRE> <P>That's a better practice than making changes to the stuff in ./default.</P> Tue, 29 Sep 2020 23:44:56 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-IIS-logs-not-formatting-correctly-hostname-problem/m-p/433380#M75753 gpullis 2020-09-29T23:44:56Z https://community.splunk.com/t5/Getting-Data-In/Windows-IIS-logs-not-formatting-correctly-hostname-problem/m-p/433381#M75754 <P>I just went to the app in manage apps, viewed the objects, found the aforementioned field alias and unchecked the "Overwrite field values" box - on my search head. Now I see the right host names associated with the events. </P> Tue, 28 Apr 2020 19:12:19 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-IIS-logs-not-formatting-correctly-hostname-problem/m-p/433381#M75754 cjpote 2020-04-28T19:12:19Z https://community.splunk.com/t5/Getting-Data-In/Windows-IIS-logs-not-formatting-correctly-hostname-problem/m-p/517319#M87538 <P>I am also having issues with the host field appearing when i run a search for this data. I commented out the field alias in props and for some reason the host field still does not exist in the search. When running a tstats on the index by host we see values for host. But not when we just simply search the data</P> Tue, 01 Sep 2020 18:25:40 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-IIS-logs-not-formatting-correctly-hostname-problem/m-p/517319#M87538 adobrzeniecki 2020-09-01T18:25:40Z