https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41006#M7602 <P>Put this in you retc\system\local\transforms.conf</P> <P>[iis_fields]<BR /> DELIMS=" "<BR /> FIELDS="date","time","s-sitename","s-ip","cs-method","cs-uri-stem","cs-uri-query","s-port","cs-username","c-ip","cs-version","cs(User-Agent)","cs(Cookie)","cs(Referer)","cs-host","sc-status","sc-substatus","sc-win32-status","sc-bytes","cs-bytes","time-taken"</P> Fri, 22 Feb 2013 19:42:08 GMT kmattern 2013-02-22T19:42:08Z https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41000#M7596 <P>I have been trying to figure out how to make IIS logs searchable in Splunk by IIS fields. We installed the latest version of the splunk agent and selected the IIS logs directory during the install. I went in and modified the inputs.conf in the MSICreated\Local folder as follows:</P> <P>[monitor://C:\inetpub\logs\logfiles\W3SVC1]<BR /> Disabled = false<BR /> Sourcetype=iis<BR /> ignoreOlderThan = 14d<BR /> host = servername.domain.com</P> <P>I can now see the IIS logs in the Spunk server, but I don't see that the fields are being properly identified. I have downloaded a couple of years work of logs and I would expect to be able to search by fields from the iis logs. For example: Shouldn't I be able to search by s-IP, since that field exists in the log?</P> <P>I have already checked props.conf on the Spunk server and it appears to be right given the following entries:</P> <P>[iis]<BR /> pulldown_type = true<BR /> MAX_TIMESTAMP_LOOKAHEAD = 32<BR /> SHOULD_LINEMERGE = False<BR /> CHECK_FOR_HEADER = True</P> <P>We are running Splunk 5.0.2 on UNIX. Logs are being forwarded with the current forwarder from a Windows 2008 box.</P> Mon, 28 Sep 2020 13:22:32 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41000#M7596 josephrehling 2020-09-28T13:22:32Z https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41001#M7597 <P>I'm pretty sure that true/false is case sensitive.</P> Fri, 22 Feb 2013 18:03:39 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41001#M7597 mikelanghorst 2013-02-22T18:03:39Z https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41002#M7598 <P>So are you saying it should be:</P> <P>[iis]<BR /> pulldown_type = true<BR /> MAX_TIMESTAMP_LOOKAHEAD = 32<BR /> SHOULD_LINEMERGE = false<BR /> CHECK_FOR_HEADER = true</P> <P>I didn't put in those lines (they were already there). Will it take a restart of splunk for those settings to take effect?</P> Mon, 28 Sep 2020 13:22:38 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41002#M7598 josephrehling 2020-09-28T13:22:38Z https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41003#M7599 <P>I see other examples where the case is exactly the same as what I had initially. I have changed it and restarted splunk. It appears to have no impact either way. Can you tell me what I am missing?</P> Fri, 22 Feb 2013 19:21:57 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41003#M7599 josephrehling 2013-02-22T19:21:57Z https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41004#M7600 <P>Hmm, I'd had a similar issue, but I've not indexed any IIS logs as of yet. There's a similar question that someone setup their own extractions I'll link in seperate answer</P> Fri, 22 Feb 2013 19:26:24 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41004#M7600 mikelanghorst 2013-02-22T19:26:24Z https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41005#M7601 <P>Looks like I was wrong above. This is likely what you'll need, I'm not finding any default extractions setup.</P> <P><A href="http://splunk-base.splunk.com/answers/24986/iis-log-fields-not-parsing">http://splunk-base.splunk.com/answers/24986/iis-log-fields-not-parsing</A></P> Fri, 22 Feb 2013 19:26:55 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41005#M7601 mikelanghorst 2013-02-22T19:26:55Z https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41006#M7602 <P>Put this in you retc\system\local\transforms.conf</P> <P>[iis_fields]<BR /> DELIMS=" "<BR /> FIELDS="date","time","s-sitename","s-ip","cs-method","cs-uri-stem","cs-uri-query","s-port","cs-username","c-ip","cs-version","cs(User-Agent)","cs(Cookie)","cs(Referer)","cs-host","sc-status","sc-substatus","sc-win32-status","sc-bytes","cs-bytes","time-taken"</P> Fri, 22 Feb 2013 19:42:08 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41006#M7602 kmattern 2013-02-22T19:42:08Z https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41007#M7603 <P>I think this is close. I made these changes to my props.conf and transforms.conf... I have noticed though that no matter what I put in the client inputs.conf, the server sees the sourcetype as iis-2...</P> Fri, 22 Feb 2013 19:55:57 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41007#M7603 josephrehling 2013-02-22T19:55:57Z https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41008#M7604 <P>So I am guessing that the FIELDS section needs to match exactly the order from the sending file in order to work? So for each ISS log, I need a transforms.conf entry that tells splunk what each field and delimiter is? If that is the answer, this doesn't seem worth the trouble.</P> Fri, 22 Feb 2013 20:04:01 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41008#M7604 josephrehling 2013-02-22T20:04:01Z https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41009#M7605 <P>Unless your iis logs are all different you should need only one transforms entry. I've been indexing iis for a couple of years with just this entry in my transforms.conf</P> Fri, 22 Feb 2013 20:12:23 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41009#M7605 kmattern 2013-02-22T20:12:23Z https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41010#M7606 <P>So the final answer on this is a bit more complicated. I needed to set IIS first, then open a log and fine the header entry. I then used the header information in the IIS log to create the fields value. I also needed to change the CHECK_FOR_HEADER to false. One mistake I made is that I started forwarding logs before I understood how this works. I ingested 2GB of logs that don't match my final solution, so I would need to do a seperate field convertion for those logs if I wanted them field searchable.</P> Mon, 28 Sep 2020 13:24:33 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41010#M7606 josephrehling 2020-09-28T13:24:33Z https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41011#M7607 <P>in that case put this in your props.conf and you'll be good to go.</P> <P>[iis-2]<BR /> rename=iis</P> Wed, 27 Feb 2013 20:02:57 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-log-fields-How-to-configure/m-p/41011#M7607 kmattern 2013-02-27T20:02:57Z