I apologize if this has been asked before, I couldn't find it via the search/google/youtube.

I'm outputting IIS AppPool/Site configurations to text file (One for AppPools, and one for Sites), and ingesting them into splunk. For the life of me I cannot figure out how to get this to format correctly in splunk, or what I need to do in order to put it in a readable format that I can use to compare 2 IIS Configs against each other in a table. I'll share a test config file that I made, and maybe someone can tell me how I should be formatting it.

AppCmd does give you the option to export to XML, would this be an easier option for splunk to parse it correctly?

SITE
  SITE.NAME:"Test"
  SITE.ID:"2"
  bindings:"http/*:80:*"
  state:"Started"
  [site] 
    name:"Test" 
    id:"2" 
    serverAutoStart:"true" 
    [bindings] 
      [binding] 
        protocol:"http" 
        bindingInformation:"*:80:*" 
        sslFlags:"0" 
    [limits] 
      maxBandwidth:"4294967295" 
      maxConnections:"4294967295" 
      connectionTimeout:"00:02:00" 
      maxUrlSegments:"32" 
    [logFile] 
      logExtFileFlags:"Date, Time, ClientIP, UserName, ServerIP, Method, UriStem, UriQuery, HttpStatus, Win32Status, TimeTaken, ServerPort, UserAgent, Referer, HttpSubStatus" 
      customLogPluginClsid:"" 
      logFormat:"W3C" 
      logTargetW3C:"File" 
      directory:"C:\inetpub\logs\LogFiles" 
      period:"Daily" 
      truncateSize:"20971520" 
      localTimeRollover:"false" 
      enabled:"true" 
      logSiteId:"true" 
      flushByEntryCountW3CLog:"0" 
      maxLogLineLength:"65536" 
      [customFields] 
        maxCustomFieldLength:"4096" 
    [traceFailedRequestsLogging] 
      enabled:"false" 
      directory:"C:\inetpub\logs\FailedReqLogFiles" 
      maxLogFiles:"50" 
      maxLogFileSizeKB:"1024" 
      customActionsEnabled:"false" 
    [applicationDefaults] 
      path:"" 
      applicationPool:"" 
      enabledProtocols:"http" 
      serviceAutoStartEnabled:"false" 
      serviceAutoStartProvider:"" 
      preloadEnabled:"false" 
    [virtualDirectoryDefaults] 
      path:"" 
      physicalPath:"" 
      userName:"" 
      password:"" 
      logonMethod:"ClearText" 
      allowSubDirConfig:"true" 
    [ftpServer] 
      allowUTF8:"true" 
      serverAutoStart:"true" 
      [connections] 
        unauthenticatedTimeout:"30" 
        controlChannelTimeout:"120" 
        dataChannelTimeout:"30" 
        disableSocketPooling:"false" 
        serverListenBacklog:"60" 
        minBytesPerSecond:"240" 
        maxConnections:"4294967295" 
        resetOnMaxConnections:"false" 
        maxBandwidth:"4294967295" 
      [security] 
        [dataChannelSecurity] 
          matchClientAddressForPort:"true" 
          matchClientAddressForPasv:"true" 
        [commandFiltering] 
          maxCommandLine:"4096" 
          allowUnlisted:"true" 
        [ssl] 
          serverCertHash:"" 
          serverCertStoreName:"MY" 
          ssl128:"false" 
          controlChannelPolicy:"SslRequire" 
          dataChannelPolicy:"SslRequire" 
        [sslClientCertificates] 
          clientCertificatePolicy:"CertIgnore" 
          useActiveDirectoryMapping:"false" 
          validationFlags:"" 
          revocationFreshnessTime:"00:00:00" 
          revocationUrlRetrievalTimeout:"00:01:00" 
        [authentication] 
          [anonymousAuthentication] 
            enabled:"false" 
            userName:"IUSR" 
            password:"" 
            defaultLogonDomain:"NT AUTHORITY" 
            logonMethod:"ClearText" 
          [basicAuthentication] 
            enabled:"false" 
            defaultLogonDomain:"" 
            logonMethod:"ClearText" 
          [clientCertAuthentication] 

Splunk seems to extract some fields in [ ], but not all of them, and for some reason it thinks the whole config is a single entry as well.

Again, I apologize if this or a similar question has been asked. I'm relatively new to splunk. I appreciate and and all assistance.

Thanks.