IIS Status Field

rcovert — Mon, 28 Sep 2020 11:42:29 GMT

Hi,

I am having trouble getting Splunk to read the status field from my logs. I have put the following in my props.conf and restarted Splunk:

[iis]
TZ = GMT
CHECK_FOR_HEADER = true
FIELDALIAS-status = "sc-status" AS status

If I search for eventtype=web-traffic, I see results. But, when I search eventtype=web-traffic status=200, I get 0 results.

My indexer in on Linux, forwarder on Windows. Can anyone help me?

Re: IIS Status Field

rcovert — Mon, 28 Sep 2020 11:42:34 GMT

Well, I figured it out on my own. In case anyone else has the same problem, this is what I did. First, I put this in my props.conf:

[iis]
TZ = GMT
CHECK_FOR_HEADER = true
REPORT-AutoHeader = AutoHeader-1
FIELDALIAS-status = c_ip AS clientip cs_Referer_ AS referer_domain cs_User_Agent_ AS useragent cs_host AS host cs_method AS method cs_uri_query AS q cs_uri_stem AS uri sc_status AS status

and this in transforms.conf:
[AutoHeader-1]
DELIMS = " "
FIELDS = "date", "time", "s-ip", "cs-method", "cs-uri-stem", "cs-uri-query", "s-port", "cs-username", "c-ip", "cs(User-Agent)", "sc-status", "sc-substatus", "sc-win32-status", "time-taken"

I'm not sure why the field aliases use a "_" instead of "-", but it works!

topic IIS Status Field in Splunk Search

IIS Status Field

Re: IIS Status Field