I am still trying to work out sourcetype=iis . I am aware of the Add-On for IIS and have installed it, but I want to use the Splunk App for Web Analytics - and I am still unsure as to if I have to have IIS Add-On for Splunk or if sourcetype=iis should be able to parse W3SVC logs from iis, which are default I believe. That is, iis has three options for logging: iis, NCSA, and W3SVC ... all of which are 'iis logs'
So, can someone please tell me what sourcetype=iis will actually read? The IIS 'iis' log type only, or more of the 'iis log formats'? Thank you.
ms:iis:auto Microsoft IIS log files in W3C format. Use this source type to enable index-time field extraction.
ms:iis:default Microsoft IIS log files in W3C format. Use this source type to enable search-time field extraction.
The above are the two sourcetypes which will be created using IIS add for microsoft.
But for webanalytics, the data is loaded automatically for dashboards, considering the the role has appropriate permissions to read W3SVC logs.
If your data is stored in an index that is not searched by default for your Splunk user, you need to add All non-internal indexes (or the specific index in question) to the Selected indexes in Access controls -> Roles -> [ROLE NAME]
The Splunk App for Web Analytics currently supports data from Apache, IIS and AWS Cloudfront logs. Make sure you use the sourcetypes accesscommon, accesscombined, iis, apache:access or aws:cloudfront:accesslogs for this data. If you already have data in Splunk under a different sourcetype you can use sourcetype renaming or by modifying the eventtype web-traffic to include the names of your sourcetypes.
from the web analytics description:
you need to add W3SVC logs to route to sourcetype=iis, then the app will pickup logs automatically.
Thanks. Can you tell me how to route the W3SVC logs to sourcetype=iis ? If so, does that mean that I do not need to use Microsoft IIS Add-On for iis logs and that I can use W3SVC logs as sourcetype=iis without doing anything else ? The existence/use of the IIS Add-On has confused me, I must admit. Thanks again.