I'm new to Splunk
I have a trivial task of analyzing ISS logs.
- installed Splunk on local computer.
- installed "Splunk Add-on for Microsoft IIS"
- Created data source from folder, using ms:iis:auto as source type and Splunk_TA_microsoft-iis.
When I do search after the source was created it displays no IIS log fields, but some internal ones only.
I can not understand from documentation what should I do to see IIS fields in IIS log files.
I tried all combinations, like default application, source type iis or ms:iis:default - same outcome.
As a new person to Splunk I could not achieve basic functionality of reading W3C log.
I used Log Parser to achieve the aim.
The outcome in regards to Splunk - I deleted it and developed a negative bias to that tech.
There are 2 things here, testing the events as you want them and doing it in production-
Since you know the path of the logs you are trying to index, and for testing
got to settings > add data > monitor > files & directories > select the folder/file you want to monitor.
Once you do this you should be able to see if data gets indexed in your local splunk, that would rule out issues with the source data.
We did this for one of our production apps AND we did not use the add in app. Once we were sure of the data indexed by testing through continuous monitoring, we simply added a forwarder to send the logs from the specific folder to the production splunk instance.
WARNING - If you do decide to monitor the logs manually. keep an eye on the data being indexed , you could run out of your trial license limits...
As this point of time I want to verify the software can work with IIS logs.
I added the source folder using "got to settings > add data > monitor > files & directories > select the folder/file"
Nothing changed. Splunk does import files BUT does NOT parse the log.
It just displays log lines, regardless header or data, and does not parse into fields.