All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cannot produce fields from IIS logs - please help

dmitry_nechaev_
Engager
‎05-09-2019 11:57 PM

I'm new to Splunk

I have a trivial task of analyzing ISS logs.
So I
- installed Splunk on local computer.
- installed "Splunk Add-on for Microsoft IIS"
- Created data source from folder, using ms:iis:auto as source type and Splunk_TA_microsoft-iis.
alt text

When I do search after the source was created it displays no IIS log fields, but some internal ones only.
alt text

I can not understand from documentation what should I do to see IIS fields in IIS log files.
I tried all combinations, like default application, source type iis or ms:iis:default - same outcome.

Please help.

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

dmitry_nechaev_
Engager
‎05-13-2019 05:28 PM

As a new person to Splunk I could not achieve basic functionality of reading W3C log.
I used Log Parser to achieve the aim.

The outcome in regards to Splunk - I deleted it and developed a negative bias to that tech.

0 Karma
Reply

Sukisen1981
Champion
‎05-11-2019 03:43 AM

Hi ,
There are 2 things here, testing the events as you want them and doing it in production-
Since you know the path of the logs you are trying to index, and for testing
got to settings > add data > monitor > files & directories > select the folder/file you want to monitor.

Once you do this you should be able to see if data gets indexed in your local splunk, that would rule out issues with the source data.
We did this for one of our production apps AND we did not use the add in app. Once we were sure of the data indexed by testing through continuous monitoring, we simply added a forwarder to send the logs from the specific folder to the production splunk instance.
WARNING - If you do decide to monitor the logs manually. keep an eye on the data being indexed , you could run out of your trial license limits...

0 Karma
Reply

dmitry_nechaev_
Engager
‎05-12-2019 04:39 PM

hi @Sukinen1981

As this point of time I want to verify the software can work with IIS logs.
I added the source folder using "got to settings > add data > monitor > files & directories > select the folder/file"
Nothing changed. Splunk does import files BUT does NOT parse the log.
It just displays log lines, regardless header or data, and does not parse into fields.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...