I have IIS web logs in an index where the sourcetype = aws:s3 and source=s3://my_aws_logs/webserver/logs/random_num.log
I need to parse this source with the Splunk Add-on for Microsoft IIS to search thru loads of web server logs.
Please advise next steps or how I might parse these logs.
Thank you
local
in $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iisNote: you can wildcard the [source:: stanza if you have multiple sources.
Basically, the steps above are adding search-time knowledge to your indexed data. You may need to modify transforms.conf if the file names are not matching. Here is the documentation on that -> http://docs.splunk.com/Documentation/AddOns/released/MSIIS/Configuretransforms
local
in $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iisNote: you can wildcard the [source:: stanza if you have multiple sources.
Basically, the steps above are adding search-time knowledge to your indexed data. You may need to modify transforms.conf if the file names are not matching. Here is the documentation on that -> http://docs.splunk.com/Documentation/AddOns/released/MSIIS/Configuretransforms
I tried your suggestion but I am not seeing the fields parse out differently. Do you think I need to override the aws:s3 sourcetype and change it to ms iis sourcetype?
thanks
Looks like there was an ID10T error causing it not to work, but it does now, thx
Thank you I will test it and let you know.