All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to parse IIS Web logs (from Splunk Add-on for AWS) with Splunk Add-on for Microsoft IIS?

Log_wrangler
Builder
‎05-07-2018 09:39 AM

I have IIS web logs in an index where the sourcetype = aws:s3 and source=s3://my_aws_logs/webserver/logs/random_num.log

I need to parse this source with the Splunk Add-on for Microsoft IIS to search thru loads of web server logs.

Please advise next steps or how I might parse these logs.

Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎05-07-2018 10:08 AM
  1. Download and install the Splunk Add-on for Microsoft IIS.
  2. Create a folder named local in $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis
  3. Copy the props.conf file from default to local
  4. Edit the local/props.conf file and rename [ms:iis:default] to [source::s3://my_aws_logs/webserver/logs/random_num.log]
  5. Restart Splunk

Note: you can wildcard the [source:: stanza if you have multiple sources.

Basically, the steps above are adding search-time knowledge to your indexed data. You may need to modify transforms.conf if the file names are not matching. Here is the documentation on that -> http://docs.splunk.com/Documentation/AddOns/released/MSIIS/Configuretransforms

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎05-07-2018 10:08 AM
  1. Download and install the Splunk Add-on for Microsoft IIS.
  2. Create a folder named local in $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis
  3. Copy the props.conf file from default to local
  4. Edit the local/props.conf file and rename [ms:iis:default] to [source::s3://my_aws_logs/webserver/logs/random_num.log]
  5. Restart Splunk

Note: you can wildcard the [source:: stanza if you have multiple sources.

Basically, the steps above are adding search-time knowledge to your indexed data. You may need to modify transforms.conf if the file names are not matching. Here is the documentation on that -> http://docs.splunk.com/Documentation/AddOns/released/MSIIS/Configuretransforms

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎05-09-2018 08:51 AM

I tried your suggestion but I am not seeing the fields parse out differently. Do you think I need to override the aws:s3 sourcetype and change it to ms iis sourcetype?

thanks

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎05-11-2018 07:26 AM

Looks like there was an ID10T error causing it not to work, but it does now, thx

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎05-07-2018 11:47 AM

Thank you I will test it and let you know.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...