Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

IIS Logs by Application

MCrank
Engager
‎03-05-2013 09:42 AM

Hello all. Splunk Newbie here so forgive me if some of this may be redundant. I did some searching through the answers and couldn't really find an answer to what I am attempting to do. Maybe I am going about it wrong and just need to leverage the search capabilities.

So we have our IIS logs setup in a directory similar to this:

D:\Logs\Web\App1
\App2
\App3

Is it possible to configure the UF to configure a source type for each individual App to better segregate the logs for each individual APP within Splunk. The idea is to be able to filter the logs based on Source Type App1 and then perform searches just within the IIS logs for App1? Or is this just silliness within the splunk world? Some of our Apps generate Many GBs of IIS log data per data so I thought it would be nice to separate the Logs out like this. There may be another way to do this as well. I am open to any suggestions!

Thank you

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎03-05-2013 10:49 AM

Technically speaking, you can separate them out in that manner. You can do something like:

[monitor://D:\LogsWebApp1]
sourcetype = App1

[monitor://D:\LogsWebApp2]
sourcetype = App2

[monitor://D:\LogsWebApp3]
sourcetype = App3

Then you can use props/transforms to specify the fields on your indexer.

View solution in original post

Reply
Solved! Jump to solution

MCrank
Engager
‎03-06-2013 08:22 AM

That looks like it is working as I wanted. Thank you jbsplunk

0 Karma
Reply
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎03-05-2013 10:49 AM

Technically speaking, you can separate them out in that manner. You can do something like:

[monitor://D:\LogsWebApp1]
sourcetype = App1

[monitor://D:\LogsWebApp2]
sourcetype = App2

[monitor://D:\LogsWebApp3]
sourcetype = App3

Then you can use props/transforms to specify the fields on your indexer.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...