Getting Data In

Source Type IIS not identifying fields

jeremymorin
Engager

I am using Splunk Universal Forwarder to monitor IIS logfiles and send to Splunk Server. All of the fields are getting indexed and the data looks good when I do a search. Splunk automatically identifies the source type as IIS however the only fields I have are host, source and sourcetype. I'm running Splunk 6.2 on CentOS and the Splunk Universal Forwarder is running on a Windows box. When I was running in a test environment, I was able to suck in the same IIS logs and the proper fields were discovered and searchable. Nothing appears to be any different on the new server that I can see. Any guidance would be helpful and appreciated.

0 Karma

dgrubb_splunk
Splunk Employee
Splunk Employee

If your forwarder is also a 6.2 then you will need to configure the props.conf on the forwarder in order for the extractions to occur.

please see this blog for an excellent write up on the new indexed extractions:

http://blogs.splunk.com/2013/10/18/iis-logs-and-splunk-6/

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...