IIS Logs Data Parsing in Search Head

anandhalagaras1 · ‎07-25-2024

Hi Team,

Our Splunk environment, including Search Heads, Indexers, and CM, is hosted in the cloud and managed by Splunk Support. We manage our Deployment Master and Heavy Forwarder servers, which are hosted in Azure.

We are ingesting logs from both Windows and Linux servers via Splunk Universal Forwarder. For some time, we have been ingesting IIS logs from all Windows machines, defining the sourcetype based on the application and environment. For instance, logs from an application server named "xyz" have a sourcetype of "xyz:iis:prod." However, our internal SOC team has identified that data parsing for these IIS logs is not occurring, and it needs to be addressed immediately without changing the host or sourcetype information.

Currently, when the sourcetype is set to "iis," fields are auto-extracted, but when a different sourcetype is used, field extraction does not happen.

I need to ensure that field extraction for Microsoft IIS logs works correctly while keeping the sourcetype unchanged. How can this be achieved?

PickleRick · ‎07-28-2024

You can try sourcetype rename https://docs.splunk.com/Documentation/Splunk/latest/Data/Renamesourcetypes

marnall · ‎07-28-2024

You could duplicate the field extractions (and more) applying to sourcetype xyz, then change them to apply to that new sourcetype of xyz:iis:prod.

IIS Logs Data Parsing in Search Head

configuration

Splunk Investigate

troubleshooting

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...