Splunk Cloud Platform

IIS Logs Data Parsing in Search Head

anandhalagaras1
Contributor

Hi Team,

Our Splunk environment, including Search Heads, Indexers, and CM, is hosted in the cloud and managed by Splunk Support. We manage our Deployment Master and Heavy Forwarder servers, which are hosted in Azure.

We are ingesting logs from both Windows and Linux servers via Splunk Universal Forwarder. For some time, we have been ingesting IIS logs from all Windows machines, defining the sourcetype based on the application and environment. For instance, logs from an application server named "xyz" have a sourcetype of "xyz:iis:prod." However, our internal SOC team has identified that data parsing for these IIS logs is not occurring, and it needs to be addressed immediately without changing the host or sourcetype information.

Currently, when the sourcetype is set to "iis," fields are auto-extracted, but when a different sourcetype is used, field extraction does not happen.

I need to ensure that field extraction for Microsoft IIS logs works correctly while keeping the sourcetype unchanged. How can this be achieved?

0 Karma

PickleRick
SplunkTrust
SplunkTrust
0 Karma

marnall
Motivator

You could duplicate the field extractions (and more) applying to sourcetype xyz, then change them to apply to that new sourcetype of xyz:iis:prod.

Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...