All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Cannot produce fields from IIS logs - please help

dmitry_nechaev_
Engager
‎05-09-2019 11:57 PM

I'm new to Splunk

I have a trivial task of analyzing ISS logs.
So I
- installed Splunk on local computer.
- installed "Splunk Add-on for Microsoft IIS"
- Created data source from folder, using ms:iis:auto as source type and Splunk_TA_microsoft-iis.
alt text

When I do search after the source was created it displays no IIS log fields, but some internal ones only.
alt text

I can not understand from documentation what should I do to see IIS fields in IIS log files.
I tried all combinations, like default application, source type iis or ms:iis:default - same outcome.

Please help.

Preview file
58 KB
Preview file
133 KB
0 Karma
Reply

dmitry_nechaev_
Engager
‎05-13-2019 05:28 PM

As a new person to Splunk I could not achieve basic functionality of reading W3C log.
I used Log Parser to achieve the aim.

The outcome in regards to Splunk - I deleted it and developed a negative bias to that tech.

0 Karma
Reply

Sukisen1981
Champion
‎05-11-2019 03:43 AM

Hi ,
There are 2 things here, testing the events as you want them and doing it in production-
Since you know the path of the logs you are trying to index, and for testing
got to settings > add data > monitor > files & directories > select the folder/file you want to monitor.

Once you do this you should be able to see if data gets indexed in your local splunk, that would rule out issues with the source data.
We did this for one of our production apps AND we did not use the add in app. Once we were sure of the data indexed by testing through continuous monitoring, we simply added a forwarder to send the logs from the specific folder to the production splunk instance.
WARNING - If you do decide to monitor the logs manually. keep an eye on the data being indexed , you could run out of your trial license limits...

0 Karma
Reply

dmitry_nechaev_
Engager
‎05-12-2019 04:39 PM

hi @Sukinen1981

As this point of time I want to verify the software can work with IIS logs.
I added the source folder using "got to settings > add data > monitor > files & directories > select the folder/file"
Nothing changed. Splunk does import files BUT does NOT parse the log.
It just displays log lines, regardless header or data, and does not parse into fields.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...