Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Sourcetype confusion over IIS logs- Help to find a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been doing testing and planning out my Splunk deployment. I have set up a Universal Forwarder on one of our pre-Production servers and am bringing in IIS logs in the iis sourcetype.
However, after having done some Splunk training - which seems to be primarily Apache focused (nothing wrong with that, I love Apache but my org is borg ... uh, Microsoft that is). Anyway, I am wondering about the Splunk Add-On for Microsoft IIS - app 3185 on splunkbase - and if there is some coverage of the built-in iis sourcetype and the Add-On for IIS ... I have gone through the forum etc. but I can't seem to find a cogent Spec and Select. Is there one that I am just not finding (betting there is somewhere)? Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Haven't thoroughly investigated, but I think the built in sourcetype mostly just applies the indexed w3c extractions, while the iis add-on also provides mapping to CIM datamodel(s) with additional extractions/aliases, eventtyping and tagging.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Haven't thoroughly investigated, but I think the built in sourcetype mostly just applies the indexed w3c extractions, while the iis add-on also provides mapping to CIM datamodel(s) with additional extractions/aliases, eventtyping and tagging.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Frank, Thanks for that. Yes, that is kind of my suspicion too. One thing with Splunk is that there is a lot of Suspicion around these things and not really enough hard data. I see this as a hurdle for uptake in the market, even though Splunk and its share price have been going through the roof. It's not a criticism, but a side effect of fast growth - their information is sparse, patchy and non-definitive. It would be good to know why they rolled out an 'Add-On' vis a vis the native sourcetype. Sourcetypes are a main point (perhaps the main point) of definition for Splunk data, and I think they really need a lot more documentation love than they are getting at present. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what is the question?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The question is about sourcetype for IIS logs. What are the advantages of using the Splunk Add-On for Microsoft IIS and its sourcetype of ms:iis:auto (for example) as compared with the inbuilt Splunk sourcetype of iis?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have essentially asked the same thing over here. Did you ever get an answer?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
