All Apps and Add-ons

Is Website setup dynamic because the name of logging file is changing with time and date?

dban2005
New Member

We are collecting iis logs from three Windows Web servers for a very large application. Initially I named the sourcetype as iis_default and have just changed to iis to make the files to appear in Website setup of Web Analytics. The sources (log files) have appeared with wildcard filter . Now the problem is the name of the log file is changing every few hours to capture new logs. All the log files are located at D:\IISLogs\PRD\LogFiles\W3SVC, so the examples of log files are as below.
D:\IISLogs\PRD\LogFiles\W3SVC9\x_yz20180225.log
D:\IISLogs\PRD\LogFiles\W3SVC9\x_yz20180226.log
D:\IISLogs\PRD\LogFiles\W3SVC9\x_yz20180227.log

My inputs.conf:

[monitor://D:\IISLogs\PRD\LogFiles\W3SVC*\]
sourcetype = iis
disabled = false
recursive = true
alwaysOpenFile = true
blacklist = .*\.zip$
index = abcd-index.

In the Setup new website section, can I set up as D:\IISLogs\PRD\LogFiles\W3SVC*? If so, is "Configured websites" dynamic? Can it automatically take care when any new log file arrives?

On a separate question: Do I need to setup the lookups and rebuild Data Model Acceleration every time I configure a new website?

0 Karma

sbrice18
Path Finder

When we add a new site we do re-run the look-up's, this is how the data gets published in the DM. You are probably aware the rebuild on the DM takes a bit of time. We are still in test phase, so we do rebuild the DM with any changes we apply.

Yes to your first question, it will see the new logs as they rotate into the directory.

0 Karma

dban2005
New Member

Correction: All the log files are located at D:\IISLogs\PRD\LogFiles\W3SVC*

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...