Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

IIS integration with splunk

Nawab
Communicator
‎01-29-2025 04:17 AM

I have an IIS server that is sending logs to splunk, and the logs are saved in w3c format. but I found that logs are save in UTC time format. and only IIS format can save logs in local time but there is no parser for IIs.

 

if someone have integrated IIS do let me know

Labels (1)
Labels
0 Karma
Reply

Nawab
Communicator
‎01-29-2025 11:56 PM

Hi, I have installed the add on on search head and indexers, but it is not working.

I am using 1st log format which w3c.

 

The time in w3c is UTC, but we need it in gtm+3.

 

for second log format which is IIS, it is not pared at any sourcetype available in addon

0 Karma
Reply

dural_yyz
Motivator
‎01-29-2025 06:21 AM

Can you tell me which format your are ingesting from these examples.

https://learn.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525807(v=vs.90)

#Software: Internet Information Services 6.0 
#Version: 1.0 
#Date: 2001-05-02 17:42:15 
#Fields: time c-ip cs-method cs-uri-stem sc-status cs-version 
17:42:15 172.16.255.255 GET /default.htm 200 HTTP/1.0

OR

192.168.114.201, -, 03/20/01, 7:55:20, W3SVC2, SALES1, 172.21.13.45, 4502, 163, 3223, 200, 0, GET, /DeptLogo.gif, -, 
172.16.255.255, anonymous, 03/20/01, 23:58:11, MSFTPSVC, SALES1, 172.16.255.255, 60, 275, 0, 0, 0, PASS, /Intro.htm, -,

 

Once you confirm which format someone should be able to provide a recommended props.conf for the ingested sourcetype.

Ofcourse you could opt for the app from Splunk base which looks to be very complete for IIS server logs.

https://splunkbase.splunk.com/app/3185

 

0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎01-29-2025 06:18 AM

Hi @Nawab 

Have you tried integrated using  add on and documention, this documentation helps to setup the iis logs

https://docs.splunk.com/Documentation/AddOns/released/MSIIS/About 

https://splunkbase.splunk.com/app/3185 


0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...

Index This | What is feather-light but cannot be held long?

May 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

.conf26 Registration is Live: Secure Your Early Bird Pass Now

  Lock in Your Spot: Registration Open for .conf26 in Denver Hello Splunkers, I have exciting news! Your ...