Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Source Type IIS not identifying fields

jeremymorin
Engager
‎03-12-2015 11:55 AM

I am using Splunk Universal Forwarder to monitor IIS logfiles and send to Splunk Server. All of the fields are getting indexed and the data looks good when I do a search. Splunk automatically identifies the source type as IIS however the only fields I have are host, source and sourcetype. I'm running Splunk 6.2 on CentOS and the Splunk Universal Forwarder is running on a Windows box. When I was running in a test environment, I was able to suck in the same IIS logs and the proper fields were discovered and searchable. Nothing appears to be any different on the new server that I can see. Any guidance would be helpful and appreciated.

0 Karma
Reply

dgrubb_splunk
Splunk Employee
Splunk Employee
‎03-13-2015 03:22 AM

If your forwarder is also a 6.2 then you will need to configure the props.conf on the forwarder in order for the extractions to occur.

please see this blog for an excellent write up on the new indexed extractions:

http://blogs.splunk.com/2013/10/18/iis-logs-and-splunk-6/

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...