topic Re: Why are fields not being extracted from my iis logs in Splunk Search

Why are fields not being extracted from my iis logs

k2skaterii — Fri, 13 Nov 2015 17:12:40 GMT

I am running version 6.3.0 on my indexer and all my universal forwarders. I'm currently trying to get things configured properly on one of my iis servers before pushing this configuration out to all of my other iis servers.

The iis logs are being forwarded to my index, but the only fields that are being extracted are host, source and sourcetype.

The inputs.conf on my iis server contains:

[monitor://<log_location>]
sourcetype = iis
index = iis_logs

The props.conf on my iis server contains:

[iis]
INDEXED_EXTRACTIONS = w3c

My indexer contains the default props.conf which includes

[iis]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = false
INDEXED_EXTRACTIONS = w3c
detect_trailing_nulls = auto
category = web
description = w3c Extended log format produced by the Microsoft Internet Information Services (IIS) web server

Am I missing something that is preventing my indexer from extracting the fields from the iis logs?

Re: Why are fields not being extracted from my iis logs

woodcock — Fri, 13 Nov 2015 19:23:28 GMT

When you use INDEXED_EXTRACTIONS, the field creation happens on the forwarder. I do not see any reason to have a separate props.conf configuration on your Indexer form what is on your forwarder. Put everything in the same file, deploy this props.conf file to your Forwarders and restart the splunk instances there and it should work fine.

Re: Why are fields not being extracted from my iis logs

k2skaterii — Mon, 16 Nov 2015 20:21:49 GMT

While a couple of years old, but I was referencing the following blog when I was trying to configure Splunk to pull in the iis logs.

http://blogs.splunk.com/2013/10/18/iis-logs-and-splunk-6/

The props.conf that is on the indexer is the default configuration file. I've tried copying the entire [iis] stanza from the props.conf on the indexer into the props.conf in the app that is being deployed to the universal forwarder, but that didn't help. Fields are still not being extracted.

I've also tried completely removing the props.conf from the app that is being deployed to the universal forwarder, that did not help either, same results.

All of my host are pointing to a heavy forwarder, which is forwarding the data onto the indexer. Could that be complicating things?

Re: Why are fields not being extracted from my iis logs

k2skaterii — Tue, 17 Nov 2015 15:38:52 GMT

Water is wet. The Sky is blue. And computers do crazy crap.

Yesterday around noon, I pulled the props.conf out of the deployment app. When I left work fields were not being extracted. This morning when I showed up fields are being extracted.

While I'd like to spend time figuring out why.... I'm moving on to the next task. Figuring out how to filtering out the unnecessary iis-logs.