All Apps and Add-ons

Splunk TA-Windows-Exchange-IIS vs sourcetype=IIS


I have the Splunk App for Exchange but Splunk documentation is unclear on how to handle my situation.
I have servers with IIS and thus IIS logs, so my generic ALL-WINDOWS server class detects the IIS logs and sets the sourcetype=iis so that all the fields get parsed properly.

The Splunk TA for Exchange IIS is here but obviously my Exchange_IIS Serverclass is lesser precedence. Regardless, it doesnt make sense that TA-Windows-Exchange-IIS sets sourcetype=MSWindows:2008R2:IIS when it misses out on the dynamic IIS log parsing.

How can I make all the Exchange dashboards properly populate using sourcetype=iis?

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...