All Apps and Add-ons

How to parse IIS Web logs (from Splunk Add-on for AWS) with Splunk Add-on for Microsoft IIS?

Log_wrangler
Builder

I have IIS web logs in an index where the sourcetype = aws:s3 and source=s3://my_aws_logs/webserver/logs/random_num.log

I need to parse this source with the Splunk Add-on for Microsoft IIS to search thru loads of web server logs.

Please advise next steps or how I might parse these logs.

Thank you

0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee
  1. Download and install the Splunk Add-on for Microsoft IIS.
  2. Create a folder named local in $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis
  3. Copy the props.conf file from default to local
  4. Edit the local/props.conf file and rename [ms:iis:default] to [source::s3://my_aws_logs/webserver/logs/random_num.log]
  5. Restart Splunk

Note: you can wildcard the [source:: stanza if you have multiple sources.

Basically, the steps above are adding search-time knowledge to your indexed data. You may need to modify transforms.conf if the file names are not matching. Here is the documentation on that -> http://docs.splunk.com/Documentation/AddOns/released/MSIIS/Configuretransforms

View solution in original post

0 Karma

jconger
Splunk Employee
Splunk Employee
  1. Download and install the Splunk Add-on for Microsoft IIS.
  2. Create a folder named local in $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis
  3. Copy the props.conf file from default to local
  4. Edit the local/props.conf file and rename [ms:iis:default] to [source::s3://my_aws_logs/webserver/logs/random_num.log]
  5. Restart Splunk

Note: you can wildcard the [source:: stanza if you have multiple sources.

Basically, the steps above are adding search-time knowledge to your indexed data. You may need to modify transforms.conf if the file names are not matching. Here is the documentation on that -> http://docs.splunk.com/Documentation/AddOns/released/MSIIS/Configuretransforms

0 Karma

Log_wrangler
Builder

I tried your suggestion but I am not seeing the fields parse out differently. Do you think I need to override the aws:s3 sourcetype and change it to ms iis sourcetype?

thanks

0 Karma

Log_wrangler
Builder

Looks like there was an ID10T error causing it not to work, but it does now, thx

0 Karma

Log_wrangler
Builder

Thank you I will test it and let you know.

0 Karma
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Announcing the General Availability of Splunk Enterprise Security 8.1!

We are pleased to announce the general availability of Splunk Enterprise Security 8.1. Splunk becomes the only ...

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...