https://community.splunk.com/t5/Getting-Data-In/Splunk-Add-on-for-Microsoft-IIS-ms-iis-auto-No-Fields-Extracted/m-p/520341#M87961 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P><P>It looks like it is already installed on the search heads.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="iamperson347_0-1600437206016.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10888i1341F2193F837325/image-size/medium?v=v2&amp;px=400" role="button" title="iamperson347_0-1600437206016.png" alt="iamperson347_0-1600437206016.png" /></span></P><P>&nbsp;</P> Fri, 18 Sep 2020 13:54:42 GMT iamperson347 2020-09-18T13:54:42Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Add-on-for-Microsoft-IIS-ms-iis-auto-No-Fields-Extracted/m-p/520336#M87959 <P>Hi All,</P><P>I've followed the instructions here (<A href="https://docs.splunk.com/Documentation/AddOns/latest/MSIIS/About" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/AddOns/latest/MSIIS/About</A>) to ingest MS IIS logs into splunk. I have installed the universal forwarder on our test windows server, as well as the IIS Splunkbase app on the windows server and our heavy forwarder. (Our heavy forwarder is configured to forward upstream.)</P><P>For inputs on the test windows server, we have this configured:</P><P>C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_microsoft-iis\local\inputs.conf</P><P>&nbsp;</P><LI-CODE lang="markup">[monitor://C:\inetpub\logs\LogFiles] disabled = 0 index = test_index sourcetype = ms:iis:auto</LI-CODE><P>&nbsp;</P><P>Example of the IIS log:</P><P>&nbsp;</P><LI-CODE lang="markup">#Software: Microsoft Internet Information Services 8.5 #Version: 1.0 #Date: 2020-09-18 13:15:43 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken 2020-09-18 13:15:43 127.0.0.1 GET / - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 304 0 0 171 2020-09-18 13:15:43 127.0.0.1 GET /iis-85.png - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko http://localhost/ 304 0 0 0 2020-09-18 13:15:43 127.0.0.1 GET /favicon.ico - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64;+Trident/7.0;+rv:11.0)+like+Gecko - 404 0 2 0</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Data from Splunk Search:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="iamperson347_0-1600436227742.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10887i47B788F8F74160FE/image-size/large?v=v2&amp;px=999" role="button" title="iamperson347_0-1600436227742.png" alt="iamperson347_0-1600436227742.png" /></span></P><P>&nbsp;</P><P>Any idea on why fields aren't being extracted? Not even host is being extracted. Other logs from our windows servers work fine, this is the only app/log type we are currently having trouble with.</P> Fri, 18 Sep 2020 13:43:23 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Add-on-for-Microsoft-IIS-ms-iis-auto-No-Fields-Extracted/m-p/520336#M87959 iamperson347 2020-09-18T13:43:23Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Add-on-for-Microsoft-IIS-ms-iis-auto-No-Fields-Extracted/m-p/520338#M87960 <P>Try installing the IIS add-on on your search head(s).</P> Fri, 18 Sep 2020 13:51:13 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Add-on-for-Microsoft-IIS-ms-iis-auto-No-Fields-Extracted/m-p/520338#M87960 richgalloway 2020-09-18T13:51:13Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Add-on-for-Microsoft-IIS-ms-iis-auto-No-Fields-Extracted/m-p/520341#M87961 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P><P>It looks like it is already installed on the search heads.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="iamperson347_0-1600437206016.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10888i1341F2193F837325/image-size/medium?v=v2&amp;px=400" role="button" title="iamperson347_0-1600437206016.png" alt="iamperson347_0-1600437206016.png" /></span></P><P>&nbsp;</P> Fri, 18 Sep 2020 13:54:42 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Add-on-for-Microsoft-IIS-ms-iis-auto-No-Fields-Extracted/m-p/520341#M87961 iamperson347 2020-09-18T13:54:42Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Add-on-for-Microsoft-IIS-ms-iis-auto-No-Fields-Extracted/m-p/520664#M87995 <P>Issue was with the search itself - not the fields from the app.</P> Mon, 21 Sep 2020 16:39:37 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Add-on-for-Microsoft-IIS-ms-iis-auto-No-Fields-Extracted/m-p/520664#M87995 iamperson347 2020-09-21T16:39:37Z