Hi
I am new to Splunk and looking to use it for analytics in place of Matomo. I have it gathering my logs and I can query them. However, I am trying to understand what benefits I would get from this add-on? Does it enrich the data or provide prebuilt queries/dashboards?
Thanks
Hi, thanks for the info. I have been querying the logs we are getting from IIS without this add-on and it seems to be working ok. I can search/filter on the various parts of IIS logs already (cs_username, time_taken, cs_uri_stem etc.) so I still don't really understand what I may be missing out on, plus I will need to ask our admin to make use of this and they will ask why.
Hi
You can collect those logs with just using inputs.conf with correct definition. But in this case (TA IIS) the biggest benefit is when you install this also to SH layer, you will get CIM compliance integration. Also you could chose which are those field names based on your IIS version and probably get some additional extractions.
Also there are some data cleaning for unneeded strings (like comments) before indexing (save license).
See: https://docs.splunk.com/Documentation/AddOns/released/MSIIS/About
As @richgalloway said some other TAs are mandatory for getting data in, some helps and some are just nice to have. In personally I prefer to install these even on nice to have cases.
r. Ismo
Thanks. I will approach the team responsible and see if they can add this
In the Splunk world, an "add-on" is an extension that helps bring data into Splunk. Sometimes, the add-on will use an API to actively retrieve data, but more often it provides configurations that help Splunk to interpret the data that arrives from a source.
In the case of this add-on, it is expected to be installed with a Splunk Universal Forwarder (UF) on the system on which IIS is running. The add-on tells the UF to read the IIS logs and forward them to Splunk. Install the add-on to your indexer(s) and search head(s) so they know how to extract fields from the logs.