Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is Hunk not picking up the iis sourcetype I configured in props.conf?

jwalzerpitt
Influencer
‎12-03-2015 01:48 PM

I created a new virtual index to search against IIS logs (I have an HDFS directory that holds 11 individual logs all formatted for WC3). I selected 'Explore Data', selected the first file, and walked through the steps, selecting 'iis' as the sourcetype and I could see it parsed the fields correctly. Finished Explore Data and the following config was added to my props.conf file:

[source::/LogCentral/IIS/EWI/2015-12-02/EWI-ZWEB-06A_12_02_2015/Default Web Site_151202.log]
sourcetype = iis

I then went in and edited the props.conf file and added the other 10 files and then rebooted the splunk service. I then logged in and ran a search and the events are not being parsed with the iis fields.

Any ideas?

Thx

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎12-03-2015 02:38 PM

Did you try adding the priority line in that stanza?

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎12-03-2015 09:52 PM

Could the space in the file name 'Default Web Site_151202.log' be possibly causing a problem?

Reply

jwalzerpitt
Influencer
‎12-07-2015 07:21 AM

Renamed the file to 'Default_Web_Site_151202.log' and still having the same issue.

Under the generic 'Selected Fields' listing, it says, '71 more fields', but clicking that link only shows me 28 additional fields.

Thx

0 Karma
Reply

jwalzerpitt
Influencer
‎12-03-2015 06:33 PM

Added priority line and still no iis WC3 fields being extracted:

[source::/LogCentral/IIS/EWI/2015-12-02/EWI-ZWEB-06A_12_02_2015/Default Web Site_151202.log]
sourcetype = iis
priority = 10

Thx

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...