All Apps and Add-ons

How to parse IIS Web logs (from Splunk Add-on for AWS) with Splunk Add-on for Microsoft IIS?

Log_wrangler
Builder

I have IIS web logs in an index where the sourcetype = aws:s3 and source=s3://my_aws_logs/webserver/logs/random_num.log

I need to parse this source with the Splunk Add-on for Microsoft IIS to search thru loads of web server logs.

Please advise next steps or how I might parse these logs.

Thank you

0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee
  1. Download and install the Splunk Add-on for Microsoft IIS.
  2. Create a folder named local in $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis
  3. Copy the props.conf file from default to local
  4. Edit the local/props.conf file and rename [ms:iis:default] to [source::s3://my_aws_logs/webserver/logs/random_num.log]
  5. Restart Splunk

Note: you can wildcard the [source:: stanza if you have multiple sources.

Basically, the steps above are adding search-time knowledge to your indexed data. You may need to modify transforms.conf if the file names are not matching. Here is the documentation on that -> http://docs.splunk.com/Documentation/AddOns/released/MSIIS/Configuretransforms

View solution in original post

0 Karma

jconger
Splunk Employee
Splunk Employee
  1. Download and install the Splunk Add-on for Microsoft IIS.
  2. Create a folder named local in $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis
  3. Copy the props.conf file from default to local
  4. Edit the local/props.conf file and rename [ms:iis:default] to [source::s3://my_aws_logs/webserver/logs/random_num.log]
  5. Restart Splunk

Note: you can wildcard the [source:: stanza if you have multiple sources.

Basically, the steps above are adding search-time knowledge to your indexed data. You may need to modify transforms.conf if the file names are not matching. Here is the documentation on that -> http://docs.splunk.com/Documentation/AddOns/released/MSIIS/Configuretransforms

0 Karma

Log_wrangler
Builder

I tried your suggestion but I am not seeing the fields parse out differently. Do you think I need to override the aws:s3 sourcetype and change it to ms iis sourcetype?

thanks

0 Karma

Log_wrangler
Builder

Looks like there was an ID10T error causing it not to work, but it does now, thx

0 Karma

Log_wrangler
Builder

Thank you I will test it and let you know.

0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...