Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are the time stamps taken from the file change time for IIS?

ddrillic
Ultra Champion
‎05-22-2019 08:32 AM

For some reason, the _time for the ms:iis:auto events are taken from the file change/create time, which seems to be either the creation or the daily rotation time.

In the file itself the date/stamp look just fine -

2017-07-01 00:00:00 10.106.180.47 GET /cl_includes/sitemin....
2017-07-01 00:00:00 10.106.180.47 GET /cl_includes/common_....
2017-07-01 00:00:00 10.106.180.47 GET /cl_includes/images/....
2017-07-01 00:00:00 10.106.180.47 GET /health.html - 443 -....
2017-07-01 00:00:01 10.106.180.47 GET /health.html - 443 -....
2017-07-01 00:00:06 10.106.180.47 GET /health.html - 443 -....
2017-07-01 00:00:06 10.106.180.47 GET /health.html - 443 -....
Tags (2)
Reply

ddrillic
Ultra Champion
‎05-23-2019 07:35 AM

ms:iis:auto doens't work for us while ms:iis:default with TZ adjustment works - weird.

0 Karma
Reply

koshyk
Super Champion
‎05-26-2019 02:03 AM

@ddrillic , mate did you find a working configuration?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-22-2019 03:07 PM

We recently went through this and we found best luck with ms:iis:auto but we only had to install the TA on the forwarders and search heads, not the indexers

Reply

ddrillic
Ultra Champion
‎05-23-2019 07:47 AM

Really interesting @jkat54.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-26-2019 05:14 AM

I believe we did install it everywhere but the trick was that the universal forwarder needed it.

0 Karma
Reply

ddrillic
Ultra Champion
‎05-22-2019 09:20 AM

A colleague said -

When it comes to the IIS TA, only one of the sourcetypes will actually work on the indexers whereas the second sourcetype needs to have either the TA or a separate props.conf deployed to the forwarder since it’s using INDEXED_EXTRACTIONS.

Deploying the full TA is overkill, IMO. Just need to throw in the following into a new props.conf for the forwarder and you’re all set.

 INDEXED_EXTRACTIONS = w3c
 TIMESTAMP_FIELDS = date, time
0 Karma
Reply

koshyk
Super Champion
‎05-22-2019 09:24 AM

agreed. The TA is not upto normal quality/standard

If you really wish, you can take the bits out of the TA and create your own and re-use the sourcetype.

Reply

koshyk
Super Champion
‎05-22-2019 09:08 AM

how does your raw data look like? (or is the output above from raw file itself?)

0 Karma
Reply

ddrillic
Ultra Champion
‎05-22-2019 09:17 AM

Looks the same as the file itself above...

0 Karma
Reply

koshyk
Super Champion
‎05-22-2019 09:26 AM

may be it is easier to extract timestamp and event_breaker yourself

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...