Why is Hunk not picking up the iis sourcetype I co...

jwalzerpitt · ‎12-03-2015

I created a new virtual index to search against IIS logs (I have an HDFS directory that holds 11 individual logs all formatted for WC3). I selected 'Explore Data', selected the first file, and walked through the steps, selecting 'iis' as the sourcetype and I could see it parsed the fields correctly. Finished Explore Data and the following config was added to my props.conf file:

[source::/LogCentral/IIS/EWI/2015-12-02/EWI-ZWEB-06A_12_02_2015/Default Web Site_151202.log]
sourcetype = iis

I then went in and edited the props.conf file and added the other 10 files and then rebooted the splunk service. I then logged in and ran a search and the events are not being parsed with the iis fields.

Any ideas?

Thx

burwell · ‎12-03-2015

Did you try adding the priority line in that stanza?

burwell · ‎12-03-2015

Could the space in the file name 'Default Web Site_151202.log' be possibly causing a problem?

jwalzerpitt · ‎12-07-2015

Renamed the file to 'Default_Web_Site_151202.log' and still having the same issue.

Under the generic 'Selected Fields' listing, it says, '71 more fields', but clicking that link only shows me 28 additional fields.

Thx

jwalzerpitt · ‎12-03-2015

Added priority line and still no iis WC3 fields being extracted:

[source::/LogCentral/IIS/EWI/2015-12-02/EWI-ZWEB-06A_12_02_2015/Default Web Site_151202.log]
sourcetype = iis
priority = 10

Thx

Why is Hunk not picking up the iis sourcetype I configured in props.conf?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!