Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sourcetype confusion over IIS logs- Help to find a cogent Spec and Select

kmower
Communicator
‎10-22-2018 04:07 PM

I have been doing testing and planning out my Splunk deployment. I have set up a Universal Forwarder on one of our pre-Production servers and am bringing in IIS logs in the iis sourcetype.

However, after having done some Splunk training - which seems to be primarily Apache focused (nothing wrong with that, I love Apache but my org is borg ... uh, Microsoft that is). Anyway, I am wondering about the Splunk Add-On for Microsoft IIS - app 3185 on splunkbase - and if there is some coverage of the built-in iis sourcetype and the Add-On for IIS ... I have gone through the forum etc. but I can't seem to find a cogent Spec and Select. Is there one that I am just not finding (betting there is somewhere)? Thanks.

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎10-23-2018 12:15 AM

Haven't thoroughly investigated, but I think the built in sourcetype mostly just applies the indexed w3c extractions, while the iis add-on also provides mapping to CIM datamodel(s) with additional extractions/aliases, eventtyping and tagging.

View solution in original post

Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎10-23-2018 12:15 AM

Haven't thoroughly investigated, but I think the built in sourcetype mostly just applies the indexed w3c extractions, while the iis add-on also provides mapping to CIM datamodel(s) with additional extractions/aliases, eventtyping and tagging.

Reply
Solved! Jump to solution

kmower
Communicator
‎10-23-2018 03:46 PM

Hi Frank, Thanks for that. Yes, that is kind of my suspicion too. One thing with Splunk is that there is a lot of Suspicion around these things and not really enough hard data. I see this as a hurdle for uptake in the market, even though Splunk and its share price have been going through the roof. It's not a criticism, but a side effect of fast growth - their information is sparse, patchy and non-definitive. It would be good to know why they rolled out an 'Add-On' vis a vis the native sourcetype. Sourcetypes are a main point (perhaps the main point) of definition for Splunk data, and I think they really need a lot more documentation love than they are getting at present. Thanks.

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎10-22-2018 05:00 PM

what is the question?

0 Karma
Reply
Solved! Jump to solution

kmower
Communicator
‎10-22-2018 05:05 PM

The question is about sourcetype for IIS logs. What are the advantages of using the Splunk Add-On for Microsoft IIS and its sourcetype of ms:iis:auto (for example) as compared with the inbuilt Splunk sourcetype of iis?

Reply
Solved! Jump to solution

shocko
Contributor
‎06-23-2022 03:17 PM

I have essentially asked the same thing over here. Did you ever get an answer? 

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...