Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are the time stamps taken from the file change time for IIS?

ddrillic
Ultra Champion
‎05-22-2019 08:32 AM

For some reason, the _time for the ms:iis:auto events are taken from the file change/create time, which seems to be either the creation or the daily rotation time.

In the file itself the date/stamp look just fine -

2017-07-01 00:00:00 10.106.180.47 GET /cl_includes/sitemin....
2017-07-01 00:00:00 10.106.180.47 GET /cl_includes/common_....
2017-07-01 00:00:00 10.106.180.47 GET /cl_includes/images/....
2017-07-01 00:00:00 10.106.180.47 GET /health.html - 443 -....
2017-07-01 00:00:01 10.106.180.47 GET /health.html - 443 -....
2017-07-01 00:00:06 10.106.180.47 GET /health.html - 443 -....
2017-07-01 00:00:06 10.106.180.47 GET /health.html - 443 -....
Tags (2)
Reply

ddrillic
Ultra Champion
‎05-23-2019 07:35 AM

ms:iis:auto doens't work for us while ms:iis:default with TZ adjustment works - weird.

0 Karma
Reply

koshyk
Super Champion
‎05-26-2019 02:03 AM

@ddrillic , mate did you find a working configuration?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-22-2019 03:07 PM

We recently went through this and we found best luck with ms:iis:auto but we only had to install the TA on the forwarders and search heads, not the indexers

Reply

ddrillic
Ultra Champion
‎05-23-2019 07:47 AM

Really interesting @jkat54.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-26-2019 05:14 AM

I believe we did install it everywhere but the trick was that the universal forwarder needed it.

0 Karma
Reply

ddrillic
Ultra Champion
‎05-22-2019 09:20 AM

A colleague said -

When it comes to the IIS TA, only one of the sourcetypes will actually work on the indexers whereas the second sourcetype needs to have either the TA or a separate props.conf deployed to the forwarder since it’s using INDEXED_EXTRACTIONS.

Deploying the full TA is overkill, IMO. Just need to throw in the following into a new props.conf for the forwarder and you’re all set.

 INDEXED_EXTRACTIONS = w3c
 TIMESTAMP_FIELDS = date, time
0 Karma
Reply

koshyk
Super Champion
‎05-22-2019 09:24 AM

agreed. The TA is not upto normal quality/standard

If you really wish, you can take the bits out of the TA and create your own and re-use the sourcetype.

Reply

koshyk
Super Champion
‎05-22-2019 09:08 AM

how does your raw data look like? (or is the output above from raw file itself?)

0 Karma
Reply

ddrillic
Ultra Champion
‎05-22-2019 09:17 AM

Looks the same as the file itself above...

0 Karma
Reply

koshyk
Super Champion
‎05-22-2019 09:26 AM

may be it is easier to extract timestamp and event_breaker yourself

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...