Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-on for Microsoft IIS - ms:iis:auto - No Fields Extracted

iamperson347
Explorer
‎09-18-2020 06:41 AM

Hi All,

I've followed the instructions here (https://docs.splunk.com/Documentation/AddOns/latest/MSIIS/About) to ingest MS IIS logs into splunk. I have installed the universal forwarder on our test windows server, as well as the IIS Splunkbase app on the windows server and our heavy forwarder. (Our heavy forwarder is configured to forward upstream.)

For inputs on the test windows server, we have this configured:

C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_microsoft-iis\local\inputs.conf

 

[monitor://C:\inetpub\logs\LogFiles]
disabled = 0
index = test_index
sourcetype = ms:iis:auto

 

Example of the IIS log:

 

#Software: Microsoft Internet Information Services 8.5
#Version: 1.0
#Date: 2020-09-18 13:15:43
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2020-09-18 13:15:43 127.0.0.1 GET / - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 304 0 0 171
2020-09-18 13:15:43 127.0.0.1 GET /iis-85.png - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko http://localhost/ 304 0 0 0
2020-09-18 13:15:43 127.0.0.1 GET /favicon.ico - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64;+Trident/7.0;+rv:11.0)+like+Gecko - 404 0 2 0

 

 

Data from Splunk Search:

 

iamperson347_0-1600436227742.png

 

Any idea on why fields aren't being extracted? Not even host is being extracted. Other logs from our windows servers work fine, this is the only app/log type we are currently having trouble with.

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

iamperson347
Explorer
‎09-21-2020 09:39 AM

Issue was with the search itself - not the fields from the app.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

iamperson347
Explorer
‎09-21-2020 09:39 AM

Issue was with the search itself - not the fields from the app.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-18-2020 06:51 AM

Try installing the IIS add-on on your search head(s).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

iamperson347
Explorer
‎09-18-2020 06:54 AM

Hi @richgalloway 

It looks like it is already installed on the search heads.

 

iamperson347_0-1600437206016.png

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...