All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to parse IIS Web logs (from Splunk Add-on for AWS) with Splunk Add-on for Microsoft IIS?

Log_wrangler
Builder
‎05-07-2018 09:39 AM

I have IIS web logs in an index where the sourcetype = aws:s3 and source=s3://my_aws_logs/webserver/logs/random_num.log

I need to parse this source with the Splunk Add-on for Microsoft IIS to search thru loads of web server logs.

Please advise next steps or how I might parse these logs.

Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎05-07-2018 10:08 AM
  1. Download and install the Splunk Add-on for Microsoft IIS.
  2. Create a folder named local in $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis
  3. Copy the props.conf file from default to local
  4. Edit the local/props.conf file and rename [ms:iis:default] to [source::s3://my_aws_logs/webserver/logs/random_num.log]
  5. Restart Splunk

Note: you can wildcard the [source:: stanza if you have multiple sources.

Basically, the steps above are adding search-time knowledge to your indexed data. You may need to modify transforms.conf if the file names are not matching. Here is the documentation on that -> http://docs.splunk.com/Documentation/AddOns/released/MSIIS/Configuretransforms

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎05-07-2018 10:08 AM
  1. Download and install the Splunk Add-on for Microsoft IIS.
  2. Create a folder named local in $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis
  3. Copy the props.conf file from default to local
  4. Edit the local/props.conf file and rename [ms:iis:default] to [source::s3://my_aws_logs/webserver/logs/random_num.log]
  5. Restart Splunk

Note: you can wildcard the [source:: stanza if you have multiple sources.

Basically, the steps above are adding search-time knowledge to your indexed data. You may need to modify transforms.conf if the file names are not matching. Here is the documentation on that -> http://docs.splunk.com/Documentation/AddOns/released/MSIIS/Configuretransforms

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎05-09-2018 08:51 AM

I tried your suggestion but I am not seeing the fields parse out differently. Do you think I need to override the aws:s3 sourcetype and change it to ms iis sourcetype?

thanks

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎05-11-2018 07:26 AM

Looks like there was an ID10T error causing it not to work, but it does now, thx

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎05-07-2018 11:47 AM

Thank you I will test it and let you know.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...