Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is Hunk not picking up the iis sourcetype I configured in props.conf?

jwalzerpitt
Influencer
‎12-03-2015 01:48 PM

I created a new virtual index to search against IIS logs (I have an HDFS directory that holds 11 individual logs all formatted for WC3). I selected 'Explore Data', selected the first file, and walked through the steps, selecting 'iis' as the sourcetype and I could see it parsed the fields correctly. Finished Explore Data and the following config was added to my props.conf file:

[source::/LogCentral/IIS/EWI/2015-12-02/EWI-ZWEB-06A_12_02_2015/Default Web Site_151202.log]
sourcetype = iis

I then went in and edited the props.conf file and added the other 10 files and then rebooted the splunk service. I then logged in and ran a search and the events are not being parsed with the iis fields.

Any ideas?

Thx

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎12-03-2015 02:38 PM

Did you try adding the priority line in that stanza?

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎12-03-2015 09:52 PM

Could the space in the file name 'Default Web Site_151202.log' be possibly causing a problem?

Reply

jwalzerpitt
Influencer
‎12-07-2015 07:21 AM

Renamed the file to 'Default_Web_Site_151202.log' and still having the same issue.

Under the generic 'Selected Fields' listing, it says, '71 more fields', but clicking that link only shows me 28 additional fields.

Thx

0 Karma
Reply

jwalzerpitt
Influencer
‎12-03-2015 06:33 PM

Added priority line and still no iis WC3 fields being extracted:

[source::/LogCentral/IIS/EWI/2015-12-02/EWI-ZWEB-06A_12_02_2015/Default Web Site_151202.log]
sourcetype = iis
priority = 10

Thx

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...