Getting Data In

Splunk Add-on for Microsoft IIS - ms:iis:auto - No Fields Extracted

iamperson347
Explorer

Hi All,

I've followed the instructions here (https://docs.splunk.com/Documentation/AddOns/latest/MSIIS/About) to ingest MS IIS logs into splunk. I have installed the universal forwarder on our test windows server, as well as the IIS Splunkbase app on the windows server and our heavy forwarder. (Our heavy forwarder is configured to forward upstream.)

For inputs on the test windows server, we have this configured:

C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_microsoft-iis\local\inputs.conf

 

[monitor://C:\inetpub\logs\LogFiles]
disabled = 0
index = test_index
sourcetype = ms:iis:auto

 

Example of the IIS log:

 

#Software: Microsoft Internet Information Services 8.5
#Version: 1.0
#Date: 2020-09-18 13:15:43
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2020-09-18 13:15:43 127.0.0.1 GET / - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 304 0 0 171
2020-09-18 13:15:43 127.0.0.1 GET /iis-85.png - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko http://localhost/ 304 0 0 0
2020-09-18 13:15:43 127.0.0.1 GET /favicon.ico - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64;+Trident/7.0;+rv:11.0)+like+Gecko - 404 0 2 0

 

 

Data from Splunk Search:

 

iamperson347_0-1600436227742.png

 

Any idea on why fields aren't being extracted? Not even host is being extracted. Other logs from our windows servers work fine, this is the only app/log type we are currently having trouble with.

Labels (2)
0 Karma
1 Solution

iamperson347
Explorer

Issue was with the search itself - not the fields from the app.

View solution in original post

0 Karma

iamperson347
Explorer

Issue was with the search itself - not the fields from the app.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try installing the IIS add-on on your search head(s).

---
If this reply helps you, Karma would be appreciated.
0 Karma

iamperson347
Explorer

Hi @richgalloway 

It looks like it is already installed on the search heads.

 

iamperson347_0-1600437206016.png

 

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...