Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Monitoring a folder that stores my IIS logs, why is a new Source created daily for each new IIS log file?

dglass0215
Path Finder
‎04-28-2015 07:30 AM

I have Splunk set to monitor the folder that stores my IIS logs. It is currently working, however, since there is a new log file created daily, each one is considered a source. So when I look at my data summary I have 215 sources and counting since each day a new one is added. Is this the way it is supposed to be?

Tags (3)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎04-28-2015 07:45 AM

Hi dglass0215,

Yes, this is the way Splunk handles source files; it creates for each new file a field called source=NewFileName. Maybe you mixed it up with sourcetype? This should not be set to auto else it can happen, that Splunk creates new source types as well and this will make your life harder in creating fast performing searches.

Read the docs http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Whysourcetypesmatter?r=searchtip to get more details on this topic.

cheers, MuS

0 Karma
Reply

dglass0215
Path Finder
‎04-28-2015 07:53 AM

My sourcetype is correctly set to "iis". I just find it odd that I have a new source added each day. So that means after a year I will have 365 sources from monitoring the log file directory. Just seems silly to me. But thanks for your answer.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...