Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get a list of websites from IIS servers with the Splunk IIS Addon?

Hudond
Path Finder
‎06-08-2023 06:30 PM

Hello

We currently have multiple IIS servers with multiple websites and our goal is to setup a dashboard “overview” panel  with a list of the following in a table format:

- servers names with IP addresses

- websites installed on the servers

- status of the website (up or down)

-apppool used by the website and its status (running or not)

-IIS bindings for each website

we have installed the the Splunk Windows IIS addon  and data is being imported into the index using the ms:iis:auto sourcetype

I am struggling to find information how best to setup the panel and what the best search query to use or approach is for something like this.

Any advice / information on best approaches would be appreciated at least to get us started, In order to learn how best to proceed.

Thank you

Labels (3)
Labels
Tags (3)
0 Karma
Reply

Hudond
Path Finder
‎06-12-2023 01:13 PM

Good afternoon

I was able to come up with the following process but I am having difficulty figuring out one issue.

I added the following powershell scriot to the inputs.conf file on the IIS server that send the data to the index on the indexer.

[powershell://IISSites]
script = Get-IISSite
schedule = 0 0 0 * * ?
source = powershell
sourcetype = custom-sourcetype
index=Index-Name

When observing the index entries I am seeing the data I need with the following exception for the bindings field:

Results-in-index.JPG

the binding entry seems to have one of the bindings listed from script but the remainders are all identified as System.Object[]  and that I must admit has me stumped. 

When I run the powershell script on the IIS server it gives me all the data I am interested in without issue.  It is just when running it in splunk that I see the System.Object[]  in the index.

Thank you for any guidance you can provide.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-13-2023 06:50 AM

I'm not a PS-expert but I suspect that your script does indeed find some objects and returns them. It's just that when it's run from the PS CLI, the PS shell renders the output as text (possibly not including all properties) whereas if you just call the cmdlet directly, the input gets the list of objects and somewhere down the path it's rendered as object.

I'd probably try to write a script iterating over the results of Get-IISSite and printing interesting properties.

0 Karma
Reply

Hudond
Path Finder
‎06-13-2023 07:46 AM

Thank you for the information, but as you mentioned you are not a PS-expert, I have to also admit I am not well versed in scripting either.  But I would appreciate some guidance,  if you could, allowing me an opportunity to learn a little more about it.  

You mentioned "whereas if you call the cmdlet directly"  and "write a script iterating over the results of Get-IISSite and printing interesting properties"

Could you provide a short sample of what that would look like so that I could review? 

I am uncertain what you meant when you wrote write the cmdlet directly?

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-13-2023 09:43 AM

If you do

script=Get-IISSite

you're calling the Get-IISSite cmdlet and just get its raw input.

A very basic example of script contents which could do something with it would be

$sites = Get-IISSite
for ($site in $sites)
{
    Write-Output "$site.Id $site.whatever $site.and_so_on"
}

(Writing from memory so the specifics of the inside code blocks might be a bit off but the general idea is there)

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-08-2023 11:16 PM

The IIS addon lets you analyze logs. It doesn't query the state of the server or perform its inventory. To some extent you can infer the server's state from whether you're getting logs or not and from ratio of success responses and failuress but that's it.

0 Karma
Reply

Hudond
Path Finder
‎06-09-2023 09:55 AM

Thank you, I was not 100% certain of that point but you did clarify it for me.  

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-08-2023 09:49 PM

Hi @Hudond,

I developed a dashboard like your some time ago, but now I haven't IIS logs, could you share some sample of your logs?
in the meantime, see in the Splunk App for Web Analytics (https://splunkbase.splunk.com/app/2699) if you find what you're searching.

You can also see in the archived app Splunk App for Windows Infrastructure (https://splunkbase.splunk.com/app/1680) where (if I correctly remember) there's some interesting dashboard.

Ciao.

Giuseppe

0 Karma
Reply

Hudond
Path Finder
‎06-09-2023 10:04 AM

Hello Giuseppe

I have been given permission to share the following scrubbed information.

I did review the web analytics app but found that it did not meet the requirements for other thing we needed.   We used to use the Windows infrastructure application before we transitioned to ITE works.  But I did not think of that,  I will review our old information we had.  

I did consider using powershell as a possibility but I am still researching that approach. 

Thank you

-----------------

#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2023-06-07 03:01:03
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken https
2023-06-07 03:01:00 W3SVC2 ServerNameHere 0.0.0.0 GET / - 80 - 0.0.0.0 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - - SiteNameHere 303 0 0 1421 off
2023-06-07 03:01:00 W3SVC2 ServerNameHere 0.0.0.0 GET / - 80 - 0.0.0.0 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - - SiteNameHere 303 0 0 0 off
2023-06-07 03:01:03 W3SVC2 ServerNameHere 0.0.0.0 GET / - 80 - 0.0.0.0 HTTP/1.1 - - - SiteNameHere 303 0 0 0 off
2023-06-07 03:02:51 W3SVC2 ServerNameHere 0.0.0.0 GET / - 80 - 0.0.0.0 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - - SiteNameHere 303 0 0 0 off
2023-06-07 03:02:51 W3SVC2 ServerNameHere 0.0.0.0 GET / - 80 - 0.0.0.0 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - - SiteNameHere 303 0 64 0 off
2023-06-07 03:02:51 W3SVC2 ServerNameHere 0.0.0.0 GET / - 80 - 0.0.0.0 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - - SiteNameHere 303 0 0 0 off

 

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...