The Splunk Add-on for Microsoft IIS still requires the administrator to manually create an inputs.conf file on each IIS host, customized with the paths of all Log directories. For large, diverse environments, this can be time consuming.

The following app can be deployed to your Windows servers, alongside the IIS add-on. On first-run it will automatically populate its inputs.conf with monitor stanzas. Each monitor will correspond to one IIS website's log folder.

├── bin
│   ├── generate_inputs.cmd
│   ├── generate_inputs.ps1
│   └── restart_splunk.cmd
├── default
│   └── app.conf
└── local
    ├── app.conf
    └── inputs.conf

bin/generate_inputs.cmd

REM store path of this bin folder
set "BINPATH=%~dp0"
REM set "SPLUNK_HOME=C:\Program Files\SplunkUniversalForwarder"

Powershell -ExecutionPolicy ByPass -File "%BINPATH%generate_inputs.ps1" -splunkHome "%SPLUNK_HOME%"

bin/generate_inputs.ps1

# generate inputs.conf for IIS

Import-Module WebAdministration
$INPUTSCONF = "$PSScriptRoot\..\local\inputs.conf"

# only if IIS websites exist and inputs.conf contains no monitors
If ((Get-Website) -And (-Not (Select-String -Pattern "^\[monitor" -Path "$INPUTSCONF" -quiet))) {
 foreach($WebSite in $(get-website)) {
  $logFile="$($Website.logFile.directory)\W3SVC$($website.id)".replace("%SystemDrive%",$env:SystemDrive)
  Add-Content -Path "$INPUTSCONF" -Value ""
  Add-Content -Path "$INPUTSCONF" -Value "# $($website.name)"
  Add-Content -Path "$INPUTSCONF" -Value "[monitor://$logfile]"
  Add-Content -Path "$INPUTSCONF" -Value "disabled = false"
  Add-Content -Path "$INPUTSCONF" -Value "ignoreOlderThan = 14d"
  Add-Content -Path "$INPUTSCONF" -Value "sourcetype = ms:iis:auto"
  Add-Content -Path "$INPUTSCONF" -Value "index = default"
 }
 # restart splunk if inputs.conf now contains monitors
 if (Select-String -Pattern "^\[monitor" -Path "$INPUTSCONF" -quiet) {
  Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "$PSScriptRoot\restart_splunk.cmd"
 }
}

bin/restart_splunk.cmd

@echo off
 timeout /t 5
 rem "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" restart
 sc stop SplunkForwarder
 sc start SplunkForwarder
 exit

local/inputs.conf

[script://.\bin\generate_inputs.cmd]
disabled = False
index = _internal
interval = -1

# autogenerated monitors will be written below this line

Limitations: the script will not change inputs.conf once it has been written out. It would need to be undeployed/redeployed to catch up to any IIS configuration changes. It also will not resolve environment variables in the paths other than systemdrive (which would be unusual, but could happen). It's also possible for a Windows foldername to contain a bracket "]" character which might crash the [monitor://] stanza. I haven't tested, and don't know if there's a method for escaping it.