Getting Data In

Splunk Add-on for Microsoft IIS - ms:iis:auto - No Fields Extracted

iamperson347
Explorer

Hi All,

I've followed the instructions here (https://docs.splunk.com/Documentation/AddOns/latest/MSIIS/About) to ingest MS IIS logs into splunk. I have installed the universal forwarder on our test windows server, as well as the IIS Splunkbase app on the windows server and our heavy forwarder. (Our heavy forwarder is configured to forward upstream.)

For inputs on the test windows server, we have this configured:

C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_microsoft-iis\local\inputs.conf

 

[monitor://C:\inetpub\logs\LogFiles]
disabled = 0
index = test_index
sourcetype = ms:iis:auto

 

Example of the IIS log:

 

#Software: Microsoft Internet Information Services 8.5
#Version: 1.0
#Date: 2020-09-18 13:15:43
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2020-09-18 13:15:43 127.0.0.1 GET / - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 304 0 0 171
2020-09-18 13:15:43 127.0.0.1 GET /iis-85.png - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko http://localhost/ 304 0 0 0
2020-09-18 13:15:43 127.0.0.1 GET /favicon.ico - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64;+Trident/7.0;+rv:11.0)+like+Gecko - 404 0 2 0

 

 

Data from Splunk Search:

 

iamperson347_0-1600436227742.png

 

Any idea on why fields aren't being extracted? Not even host is being extracted. Other logs from our windows servers work fine, this is the only app/log type we are currently having trouble with.

Labels (2)
0 Karma
1 Solution

iamperson347
Explorer

Issue was with the search itself - not the fields from the app.

View solution in original post

0 Karma

iamperson347
Explorer

Issue was with the search itself - not the fields from the app.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try installing the IIS add-on on your search head(s).

---
If this reply helps you, Karma would be appreciated.
0 Karma

iamperson347
Explorer

Hi @richgalloway 

It looks like it is already installed on the search heads.

 

iamperson347_0-1600437206016.png

 

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...