Solved: Is there any way to get the native Splunk IIS extr...

kmanson · ‎10-31-2016

Is there anyway to get the Splunk native IIS extractions to work with the Splunk Add-on for Microsoft Cloud Services? Setting the sourcetype to IIS doesn't extract the fields. If I download the actual log file from the Azure storage blob using Storage Explorer and one shot the file it works great, not so much when pulling the logs with this app.

Splunk 6.4
Splunk Add-on for Microsoft Cloud Services 2.0.1

rarsan_splunk · ‎11-01-2016

[Update]
Splunk 6.5 adds structured indexed extractions support to modular inputs, but only for JSON, not IIS.
Until IIS support is added, follow this workaround using search-time extractions.

Upgrade to Splunk 6.5 which adds supports for indexed extractions to modular inputs.
Otherwise, you can slightly modify underlying sourcetype using this workaround:
https://answers.splunk.com/answers/311972/aws-cloudfront.html#answer-315294
(Example is about AWS CloudFront logs but same solution applies - both data sources are W3C log file format)

View solution in original post

deangoris · ‎06-09-2021

Hi, I would like to pick this up again.

We're running on Splunk 8.1 now with the IIS add-on en ms:iis:auto source type working good for some time already.

Recently we added the add-on for Microsoft Cloud Services and try to read the IIS logfiles from there as well.

It looks like ms:iis:auto isn't extracting the fields. Is this still a problem for these kind of modular inputs or should this be perfectly possible?

rarsan_splunk · ‎11-01-2016

[Update]
Splunk 6.5 adds structured indexed extractions support to modular inputs, but only for JSON, not IIS.
Until IIS support is added, follow this workaround using search-time extractions.

Upgrade to Splunk 6.5 which adds supports for indexed extractions to modular inputs.
Otherwise, you can slightly modify underlying sourcetype using this workaround:
https://answers.splunk.com/answers/311972/aws-cloudfront.html#answer-315294
(Example is about AWS CloudFront logs but same solution applies - both data sources are W3C log file format)

kmanson · ‎11-02-2016

Very helpful information, we are just waiting on 6.5.1 before upgrading. Let us test in a dev environment and I will accept this as the answer.

lding_splunk · ‎11-01-2016

Thanks rarsan, that's very helpful.

lding_splunk · ‎10-31-2016

Hi Kmanson,

thanks for reporting this, one quick questions, which sourcetype did you use? "ms:iis:auto" or "ms:iis:default"?

kmanson · ‎11-01-2016

I actually used "IIS" sourcetype, "ms:iis:auto" appears to be the same with the additional alias and evals. "ms:iis:default" will not work since it's not default fields.

Software: Microsoft Internet Information Services 8.0
Fields: date time s-sitename cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

[iis]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
INDEXED_EXTRACTIONS = w3c
detect_trailing_nulls = auto
category = Web
description = W3C Extended log format produced by the Microsoft Internet Information Services (IIS) web server

lding_splunk · ‎11-01-2016

Thanks for the info, that's very helpful.
it seems INDEXED_EXTRACTIONS = w3c doesn't work with events indexed via modular input, but we will double check it and get back to you.

Is there any way to get the native Splunk IIS extractions to work with the Splunk Add-on for Microsoft Cloud Services?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!