I keep all the IIS web sites in the following folder: D:\inetpub\LogFiles
So the tree would look like this:
My input.conf is set as follows:
ignoreOlderThan = 14d
HOWEVER...It appears that the logs are coming in and splunk is applying the following sourcetypes, seemingly at random to these IIS Log files:
Why? The logs are exactly the same. What are all of these others sourcetypes (iis-)?
This answer explains what goes on in detail: http://splunk-base.splunk.com/answers/72860/sourcetypes-keep-on-multiplying