I am observing intermittent issues parsing IIS data. Splunk is configured for index time parsing of IIS events on the universal forwarders (INDEXED_EXCTRACTIONS). The extraction works fine for most events, but a small percentage (less than 1%) fail parsing.
I am detecting the events that fail parsing with the following SPL
index=[IIS INDEXES] sourcetype=iis NOT c_ip=*
I have noticed an error in the splunkd.log on the universal forwarders that accounts for some of these issues.
04-06-2022 20:08:42.602 -0500 WARN CsvLineBreaker - Parser warning: Encountered unescaped quotation mark in field while parsing. This may cause inaccurate field extractions or corrupt/merged events. - data_source="e:\iis-logs\W3SVC1\u_ex220407.log", data_host="XXXXX", data_sourcetype="iis"
In these cases, it appears that not only does index time field parsing fail but event breaking fails resulting many events getting lumped into a single event. This may not be avoidable and we’re at least able to point to a cause for these issues but many more are unexplained.
For most of the events that fail parsing the result is a single line event which appears to be formatted correctly but has no indexed fields. I was originally having an issue with these events reporting in the future as well but adding a time zone to props.conf seems to have at least resolved that issue.
I have upgraded through several versions (8.1.2, 8.2.3, 184.108.40.206) on the Universal forwarders and have seen this issue across all these versions.
If you have and ideas on what might be causing failures in index time parsing issues for IIS data I would love to hear them.
update: actually I see that using next setting is solving the issue apparently, but I find it uncontrollable , I am not sure if and how the backtick or whatever I decide to add there will appear and break other things, so as I have little amount of events with this issue I am choosing not to go further ...
FIELD_QUOTE=` ( so instead of " which is maybe some default - Specifies the character to use for quotes in the specified file or source. You can specify special characters in this attribute. )
Hi, I have same issue and no solution
Even trying to use these configs : I have failed to produce anything but garbage , actually it seems they don't even work and they conflict somehow with w3c setting
what I was hopping was that maybe this setting below would help , but it did not