Source Type IIS not identifying fields

jeremymorin · ‎03-12-2015

I am using Splunk Universal Forwarder to monitor IIS logfiles and send to Splunk Server. All of the fields are getting indexed and the data looks good when I do a search. Splunk automatically identifies the source type as IIS however the only fields I have are host, source and sourcetype. I'm running Splunk 6.2 on CentOS and the Splunk Universal Forwarder is running on a Windows box. When I was running in a test environment, I was able to suck in the same IIS logs and the proper fields were discovered and searchable. Nothing appears to be any different on the new server that I can see. Any guidance would be helpful and appreciated.

dgrubb_splunk · ‎03-13-2015

If your forwarder is also a 6.2 then you will need to configure the props.conf on the forwarder in order for the extractions to occur.

please see this blog for an excellent write up on the new indexed extractions:

http://blogs.splunk.com/2013/10/18/iis-logs-and-splunk-6/

Source Type IIS not identifying fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

Join the Conversation

Source Type IIS not identifying fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling