Hi @SamHTexas,

try to follow these preliminary steps:

• exactly identify path and filenames of your logs (e.g.: C:\inetpub\logs\LogFiles);
• install the Splunk Universal Forwarder (https://docs.splunk.com/Documentation/Forwarder/8.1.2/Forwarder/Installtheuniversalforwardersoftware...
• configure it to send logs to your indexers (https://docs.splunk.com/Documentation/Forwarder/8.1.2/Forwarder/Configuretheuniversalforwarder);
• restart Splunk on Forwarder;
• check if the Splunk internal logs are arriving (index=_internal).

   

To take logs you can use:

• a Technican Add-On from splunkbase (https://splunkbase.splunk.com);
• a custom input.

in the first case

• install the Splunk Add-On for your Web server (e.g. Microsoft IIS https://splunkbase.splunk.com/app/3185);
• Configure it enabling the stanzas you need,
• restart Splunk on Forwarder;
• check the logs.

   

In the second case you have to:

• create by CLI (Universal Frwarders hasn't a web interface) your own inputs.conf in $SPLUNK_HOME\etc\system\local (or $SPLUNK_HOME/etc/system/local on Linux), containing:

[monitor://C:\inetpub\logs\LogFiles]
disabled = false
sourcetype = ms:iis:auto
index = <preferred index>

• Restart Splunk on Forwarder
• check the logs.

I hint always the first one!

To better understand how to do this you can see https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/Getstartedwithgettingdatain

there are also some interesting videos in YouTube to do this.

Ciao.

Giuseppe