Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

So can you use INDEXED_EXTRACTIONS = w3c with something other than the sourcetype of iis?

hoopydave
Path Finder
‎10-30-2014 11:27 AM

If I add INDEXED_EXTRACTIONS = w3c using a sourcetype other than iis, it does not work for defining the field names. Is there a .conf file that I can define a different sourcetype for this functionality? We have several groups with different IIS logs and I'd like to call the sourcetype iis_group1, iis_group2, etc.

Tags (2)
Reply

jnv7
Engager
‎09-10-2015 03:54 AM

Well, just in case anyone bumps into this, I guess it was quite a newbie problem. I managed to do it by deploying to the forwarder (instead of the indexer) a props.conf file with a copy of the [iis] default stanza but with the different name [iis_group1] in the example. This way the w3c fields in iis_group1 should be automatically extracted.

Reply

somesoni2
Revered Legend
‎10-31-2014 08:04 AM

Give this a try

[iis_group1]
pulldown_type = true 
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
INDEXED_EXTRACTIONS = w3c
detect_trailing_nulls = auto
category = Web

Update

Try this

[iis_group1]
pulldown_type = true 
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
FIELD_DELIMITER = whitespace
FIELD_HEADER_REGEX = ^#Fields:\\s*(.*)
MISSING_VALUE_REGEX = -
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TIMESTAMP_FIELDS = date,time
Reply

hoopydave
Path Finder
‎10-31-2014 08:43 AM

Thanks for your response, somesoni2,
As suggested, I tried:
inputs.conf

# DOTNET IIS LOGS
[monitor://D:\Applications\*\*\W*\*.log]
sourcetype = iis_group1
index = dotnet
ignoreOlderThan = 5d
disabled = false

props.conf

        [iis_group1]
        pulldown_type = true
        MAX_TIMESTAMP_LOOKAHEAD = 32
        SHOULD_LINEMERGE = False
        INDEXED_EXTRACTIONS = w3c
        detect_trailing_nulls = auto
        category = Web

That makes the data look good, but it is still not pulling in the standard IIS field names; c_ip, cs_bytes, cs_method, cs_uri_query, cs_uri_stem, cs_User_Agent, cs_username, etc

Results:

    Interesting Fields

        a d 15
        # date_hour 1
        # date_mday 1
        # date_minute 1
        a date_month 1
        # date_second 12
        a date_wday 1
Reply

jnv7
Engager
‎09-08-2015 06:23 AM

hi, this is an old topic but I just found this exact same behavior. Has anyone ever found a justification for this? If I use sourcetype=iis, the w3c fields are automatically extracted. On the other hand, if I copy the [iis] stanza into my props.conf with another name and use this as the sourcetype, the fields are not extracted anymore.

0 Karma
Reply

rajbir1
Explorer
‎03-17-2016 07:33 AM

Make sure you are sending a copy of your custom props.conf to the UF as well. I had the same issue but it started working when I put a copy of props.conf with my custom sourcetype on UF's.

0 Karma
Reply

hoopydave
Path Finder
‎10-31-2014 06:27 AM

I have created different stanzas using different sourcetypes, but the only time I can get the field extractions to work correctly is if I use [iss] as the sourcetype. If i use something like [iss_group1], the field names do not get extracted correctly. Running the same query (index=dotnet) see the examples below:

This one works using [iis] as the sourcetype:
Inputs.conf

    # DOTNET IIS LOGS
    [monitor://D:\Applications\*\*\W*\*.log]
    sourcetype = iis
    index = dotnet
    ignoreOlderThan = 5d
    disabled = false

props.conf

    [iis]
    INDEXED_EXTRACTIONS = w3c

Returns:

    Interesting Fields
        a c_ip 1
        # cs_bytes 100+
        a cs_method 2
        a cs_uri_query 25
        a cs_uri_stem 86
        a cs_User_Agent 4
        a cs_username 3
        a date 1

If I change that sourcetype to [iis_group1] and use INDEXED_EXTRACTIONS = w3c, Splunk does not properly extract the field names:

inputs.conf:

    # DOTNET IIS LOGS
    [monitor://D:\Applications\*\*\W*\*.log]
    sourcetype = iis_group1
    index = dotnet
    ignoreOlderThan = 5d
    disabled = false

props.conf

    [iis_group1]
    INDEXED_EXTRACTIONS = w3c

Returns

Interesting Fields

    # date_hour 24
    # date_mday 5
    # date_minute 60
    a date_month 1
    # date_second 60
    a date_wday 5
    # date_year 1
    a date_zone 1
0 Karma
Reply

vasanthmss
Motivator
‎10-30-2014 04:45 PM

Create a different stanzas in the props.conf and use your stanzas (sourcetype) while indexing the log

V
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...