Why after switching from HF to UF, MSWindows:2012:...

gitingua · ‎04-07-2022

Hello colleagues. we recently switched from Splunk HF to UF. before this event with sourcetype = MSWindows:2012:IIS. parsed normal but after installation, something went wrong. and events in the spanner do not take all the fields from the logs

VatsalJagani · ‎04-07-2022

@gitingua - If you are using the https://docs.splunk.com/Documentation/AddOns/released/MSIIS/Install Add-on for collecting and parsing the IIS logs then with UF Add-on requires to be installed on Indexers.

(I'm assuming UF is sending data directly to Indexers.)

I hope this helps, if it does consider upvoting!!!

gitingua · ‎04-08-2022

@VatsalJagani Hi. We use the app https://splunkbase.splunk.com/app/3225/
The problem is that there is a sourcetype=MSWindows:2012:IIS

But it is not described in the props file, it does not parse events, do you think need to change the application?

VatsalJagani · ‎04-08-2022

@gitingua - I would install the Add-on on Indexers still because it seems like Add-on definitely has some parsing configuration. Make sure to put Add-on on the UF as well.

(I'm assuming your UF is sending logs to Indexer directly.)

Why after switching from HF to UF, MSWindows:2012:IIS event no longer parses correctly?

administration

Analytics Workspace

metrics

using Splunk Enterprise

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation