All Apps and Add-ons

Cannot produce fields from IIS logs - please help


I'm new to Splunk

I have a trivial task of analyzing ISS logs.
So I
- installed Splunk on local computer.
- installed "Splunk Add-on for Microsoft IIS"
- Created data source from folder, using ms:iis:auto as source type and Splunk_TA_microsoft-iis.
alt text

When I do search after the source was created it displays no IIS log fields, but some internal ones only.
alt text

I can not understand from documentation what should I do to see IIS fields in IIS log files.
I tried all combinations, like default application, source type iis or ms:iis:default - same outcome.

Please help.

0 Karma


As a new person to Splunk I could not achieve basic functionality of reading W3C log.
I used Log Parser to achieve the aim.

The outcome in regards to Splunk - I deleted it and developed a negative bias to that tech.

0 Karma


Hi ,
There are 2 things here, testing the events as you want them and doing it in production-
Since you know the path of the logs you are trying to index, and for testing
got to settings > add data > monitor > files & directories > select the folder/file you want to monitor.

Once you do this you should be able to see if data gets indexed in your local splunk, that would rule out issues with the source data.
We did this for one of our production apps AND we did not use the add in app. Once we were sure of the data indexed by testing through continuous monitoring, we simply added a forwarder to send the logs from the specific folder to the production splunk instance.
WARNING - If you do decide to monitor the logs manually. keep an eye on the data being indexed , you could run out of your trial license limits...

0 Karma


hi @Sukinen1981

As this point of time I want to verify the software can work with IIS logs.
I added the source folder using "got to settings > add data > monitor > files & directories > select the folder/file"
Nothing changed. Splunk does import files BUT does NOT parse the log.
It just displays log lines, regardless header or data, and does not parse into fields.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...