All Apps and Add-ons

Is there any way to get the native Splunk IIS extractions to work with the Splunk Add-on for Microsoft Cloud Services?

kmanson
Path Finder

Is there anyway to get the Splunk native IIS extractions to work with the Splunk Add-on for Microsoft Cloud Services? Setting the sourcetype to IIS doesn't extract the fields. If I download the actual log file from the Azure storage blob using Storage Explorer and one shot the file it works great, not so much when pulling the logs with this app.

Splunk 6.4
Splunk Add-on for Microsoft Cloud Services 2.0.1

0 Karma
1 Solution

rarsan_splunk
Splunk Employee
Splunk Employee

[Update]
Splunk 6.5 adds structured indexed extractions support to modular inputs, but only for JSON, not IIS.
Until IIS support is added, follow this workaround using search-time extractions.


Upgrade to Splunk 6.5 which adds supports for indexed extractions to modular inputs.
Otherwise, you can slightly modify underlying sourcetype using this workaround:
https://answers.splunk.com/answers/311972/aws-cloudfront.html#answer-315294
(Example is about AWS CloudFront logs but same solution applies - both data sources are W3C log file format)

View solution in original post

deangoris
Explorer

Hi, I would like to pick this up again.

We're running on Splunk 8.1 now with the IIS add-on en ms:iis:auto source type working good for some time already.

Recently we added the add-on for Microsoft Cloud Services and try to read the IIS logfiles from there as well.

It looks like ms:iis:auto isn't extracting the fields. Is this still a problem for these kind of modular inputs or should this be perfectly possible?

0 Karma

rarsan_splunk
Splunk Employee
Splunk Employee

[Update]
Splunk 6.5 adds structured indexed extractions support to modular inputs, but only for JSON, not IIS.
Until IIS support is added, follow this workaround using search-time extractions.


Upgrade to Splunk 6.5 which adds supports for indexed extractions to modular inputs.
Otherwise, you can slightly modify underlying sourcetype using this workaround:
https://answers.splunk.com/answers/311972/aws-cloudfront.html#answer-315294
(Example is about AWS CloudFront logs but same solution applies - both data sources are W3C log file format)

kmanson
Path Finder

Very helpful information, we are just waiting on 6.5.1 before upgrading. Let us test in a dev environment and I will accept this as the answer.

0 Karma

lding_splunk
Splunk Employee
Splunk Employee

Thanks rarsan, that's very helpful.

0 Karma

lding_splunk
Splunk Employee
Splunk Employee

Hi Kmanson,

thanks for reporting this, one quick questions, which sourcetype did you use? "ms:iis:auto" or "ms:iis:default"?

0 Karma

kmanson
Path Finder

I actually used "IIS" sourcetype, "ms:iis:auto" appears to be the same with the additional alias and evals. "ms:iis:default" will not work since it's not default fields.

Software: Microsoft Internet Information Services 8.0
Fields: date time s-sitename cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

[iis]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
INDEXED_EXTRACTIONS = w3c
detect_trailing_nulls = auto
category = Web
description = W3C Extended log format produced by the Microsoft Internet Information Services (IIS) web server
0 Karma

lding_splunk
Splunk Employee
Splunk Employee

Thanks for the info, that's very helpful.
it seems INDEXED_EXTRACTIONS = w3c doesn't work with events indexed via modular input, but we will double check it and get back to you.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...