Why after switching from HF to UF, MSWindows:2012:...

gitingua · ‎04-07-2022

Hello colleagues. we recently switched from Splunk HF to UF. before this event with sourcetype = MSWindows:2012:IIS. parsed normal but after installation, something went wrong. and events in the spanner do not take all the fields from the logs

VatsalJagani · ‎04-07-2022

@gitingua - If you are using the https://docs.splunk.com/Documentation/AddOns/released/MSIIS/Install Add-on for collecting and parsing the IIS logs then with UF Add-on requires to be installed on Indexers.

(I'm assuming UF is sending data directly to Indexers.)

I hope this helps, if it does consider upvoting!!!

gitingua · ‎04-08-2022

@VatsalJagani Hi. We use the app https://splunkbase.splunk.com/app/3225/
The problem is that there is a sourcetype=MSWindows:2012:IIS

But it is not described in the props file, it does not parse events, do you think need to change the application?

VatsalJagani · ‎04-08-2022

@gitingua - I would install the Add-on on Indexers still because it seems like Add-on definitely has some parsing configuration. Make sure to put Add-on on the UF as well.

(I'm assuming your UF is sending logs to Indexer directly.)

Why after switching from HF to UF, MSWindows:2012:IIS event no longer parses correctly?

administration

Analytics Workspace

metrics

using Splunk Enterprise

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio