Getting Data In

Why are the time stamps taken from the file change time for IIS?

ddrillic
Ultra Champion

For some reason, the _time for the ms:iis:auto events are taken from the file change/create time, which seems to be either the creation or the daily rotation time.

In the file itself the date/stamp look just fine -

2017-07-01 00:00:00 10.106.180.47 GET /cl_includes/sitemin....
2017-07-01 00:00:00 10.106.180.47 GET /cl_includes/common_....
2017-07-01 00:00:00 10.106.180.47 GET /cl_includes/images/....
2017-07-01 00:00:00 10.106.180.47 GET /health.html - 443 -....
2017-07-01 00:00:01 10.106.180.47 GET /health.html - 443 -....
2017-07-01 00:00:06 10.106.180.47 GET /health.html - 443 -....
2017-07-01 00:00:06 10.106.180.47 GET /health.html - 443 -....
Tags (2)

ddrillic
Ultra Champion

ms:iis:auto doens't work for us while ms:iis:default with TZ adjustment works - weird.

0 Karma

koshyk
Super Champion

@ddrillic , mate did you find a working configuration?

0 Karma

jkat54
SplunkTrust
SplunkTrust

We recently went through this and we found best luck with ms:iis:auto but we only had to install the TA on the forwarders and search heads, not the indexers

ddrillic
Ultra Champion

Really interesting @jkat54.

0 Karma

jkat54
SplunkTrust
SplunkTrust

I believe we did install it everywhere but the trick was that the universal forwarder needed it.

0 Karma

ddrillic
Ultra Champion

A colleague said -

When it comes to the IIS TA, only one of the sourcetypes will actually work on the indexers whereas the second sourcetype needs to have either the TA or a separate props.conf deployed to the forwarder since it’s using INDEXED_EXTRACTIONS.

Deploying the full TA is overkill, IMO. Just need to throw in the following into a new props.conf for the forwarder and you’re all set.

 INDEXED_EXTRACTIONS = w3c
 TIMESTAMP_FIELDS = date, time
0 Karma

koshyk
Super Champion

agreed. The TA is not upto normal quality/standard

If you really wish, you can take the bits out of the TA and create your own and re-use the sourcetype.

koshyk
Super Champion

how does your raw data look like? (or is the output above from raw file itself?)

0 Karma

ddrillic
Ultra Champion

Looks the same as the file itself above...

0 Karma

koshyk
Super Champion

may be it is easier to extract timestamp and event_breaker yourself

Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...