I am having a difficult time getting Splunk to recognize fields from my IIS 7.5 logs. I know that there are many, many posts in splunk-base regarding this - I have looked through many of them and tried the suggested answers in at least 8-10 different posts. None of them have worked for me, eventhough I don't have a custom config - just a standard IIS server with logging enabled and default fields selected. The files get indexed, but the fields are not recognized (i.e. I cannot simply search for "time-taken > 50" within the data indexed from these logs)
Here is my full config:
Client UF: 4.3.3
Intermediary UF: 4.3.3
Client UF sends data to intermediary UF, which sends it to the indexer.
My config current config (and last attempt to make this work) on the Client UF is:
[monitor://C:\inetpub\logs] disabled = false followTail = 0 sourcetype = iisw3c index = testindex
[iisw3c] pulldown_type = true MAX_TIMESTAMP_LOOKAHEAD = 32 SHOULD_LINEMERGE = False CHECK_FOR_HEADER = true TZ = GMT REPORT-iisw3cfields = iisw3cfields TRANSFORMS-removecomments = removecomments
[removecomments] REGEX = ^\#.* DEST_KEY = queue FORMAT = nullQueue [iisw3cfields] DELIMS = " " FIELDS = date, time, s-sitename, s-computername, s-ip, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip, cs-version, cs(User-Agent), cs(Cookie), cs(Referer), cs-host, sc-status, sc-substatus, sc-win32-status, sc-bytes, cs-bytes, time-taken
What I am doing wrong?
Thanks in advance!