Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk addon for iis: why have configs other than ms:iis:auto been deprecated?

cmeo-bcit
Explorer
‎02-04-2026 03:16 PM

I see from the latest release notes that the recommended sourcetype is ms:iis:auto and the others have been deprecated, presumably to go away at some future point.

What I don't see is the reasoning behind this, in view of the known disadvantages of indexed inputs on the forwarder:

--no further parsing possible

--greatly increases storage requirements

--others of lesser importance e.g. less flexible if the log is reconfigured

Does anyone know of compelling reasons why this has been done? Personally I will always use search-time field extraction unless there is a really good reason not to. It seems to be a wrong turn, unless I've missed something.

Charles

Labels (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-05-2026 01:47 AM

As far as I remember the IIS output logs, the problem with them is that they are CSV without a fixed column order. So you have to rely on the header row to extract the data in proper order. And that's possible only with indexed extractions. The other solution would be to create an external script reading the file, reformatting it and ingesting it as something else (json? k/v pairs?). That could work but it would mean that you weren't indexing the original event which might be important if you needed to use that as evidence - the event would already have been tampered with.

0 Karma
Reply

cmeo-bcit
Explorer
‎02-05-2026 10:19 PM

You can also define the column names when using the standard csv wizard, by manual editing.

I suppose it depends on how often your column order gets modified by the system owner. Theoretically, this could happen any time. Does anyone have a feel for how often it happens in practice?

 

cm

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-06-2026 03:28 AM

I'm not familiar with how the IIS logs are exported. If it is as you say - you can define manually which columns are exported and you're gonna keep it that way then yes, you could define the field order manually within props.conf and that would work OK.

I suppose creators of the add-on didn't want to make assumptions and just did it so that it works whatever fields and in whatever order are exported.

0 Karma
Reply

cmeo-bcit
Explorer
‎02-08-2026 04:20 PM

I can understand that. What I can't understand is why the other methods have been deprecated because once they go away, if you need to do any additional parsing of IIS logs, you can't using this app, which becomes useless and you're back to doing it all yourself anyway.

Anybody connected with the care and feeding of this app care to chime in?

Charles

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...