All Apps and Add-ons

Is there any way to get the native Splunk IIS extractions to work with the Splunk Add-on for Microsoft Cloud Services?

Path Finder

Is there anyway to get the Splunk native IIS extractions to work with the Splunk Add-on for Microsoft Cloud Services? Setting the sourcetype to IIS doesn't extract the fields. If I download the actual log file from the Azure storage blob using Storage Explorer and one shot the file it works great, not so much when pulling the logs with this app.

Splunk 6.4
Splunk Add-on for Microsoft Cloud Services 2.0.1

0 Karma
1 Solution

Splunk Employee
Splunk Employee

[Update]
Splunk 6.5 adds structured indexed extractions support to modular inputs, but only for JSON, not IIS.
Until IIS support is added, follow this workaround using search-time extractions.


Upgrade to Splunk 6.5 which adds supports for indexed extractions to modular inputs.
Otherwise, you can slightly modify underlying sourcetype using this workaround:
https://answers.splunk.com/answers/311972/aws-cloudfront.html#answer-315294
(Example is about AWS CloudFront logs but same solution applies - both data sources are W3C log file format)

View solution in original post

Splunk Employee
Splunk Employee

[Update]
Splunk 6.5 adds structured indexed extractions support to modular inputs, but only for JSON, not IIS.
Until IIS support is added, follow this workaround using search-time extractions.


Upgrade to Splunk 6.5 which adds supports for indexed extractions to modular inputs.
Otherwise, you can slightly modify underlying sourcetype using this workaround:
https://answers.splunk.com/answers/311972/aws-cloudfront.html#answer-315294
(Example is about AWS CloudFront logs but same solution applies - both data sources are W3C log file format)

View solution in original post

Path Finder

Very helpful information, we are just waiting on 6.5.1 before upgrading. Let us test in a dev environment and I will accept this as the answer.

0 Karma

Splunk Employee
Splunk Employee

Thanks rarsan, that's very helpful.

0 Karma

Splunk Employee
Splunk Employee

Hi Kmanson,

thanks for reporting this, one quick questions, which sourcetype did you use? "ms:iis:auto" or "ms:iis:default"?

0 Karma

Path Finder

I actually used "IIS" sourcetype, "ms:iis:auto" appears to be the same with the additional alias and evals. "ms:iis:default" will not work since it's not default fields.

Software: Microsoft Internet Information Services 8.0
Fields: date time s-sitename cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

[iis]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
INDEXED_EXTRACTIONS = w3c
detect_trailing_nulls = auto
category = Web
description = W3C Extended log format produced by the Microsoft Internet Information Services (IIS) web server
0 Karma

Splunk Employee
Splunk Employee

Thanks for the info, that's very helpful.
it seems INDEXED_EXTRACTIONS = w3c doesn't work with events indexed via modular input, but we will double check it and get back to you.

0 Karma