Solved: Re: I didn't use INDEXED_EXTRACTIONS, but why are ...

rsathish47 · ‎07-12-2015

Hi all,

I found blogs on IIS logs and Spunk 6. I didn't use the INDEXED_EXTRACTIONS, but why are fields still getting extracted properly in Splunk 6.2.1? I just want to know about the internal functionality.

http://blogs.splunk.com/2013/10/18/iis-logs-and-splunk-6/

Thanks
Sathish Rangan

jeffland · ‎07-13-2015

If you don't specifically set a sourcetype or any other settings when adding the input, I'd say splunk was smart enough to notice that this is IIS data and decided to use the header data. After all, it is a pretty distinguishable type of log.

View solution in original post

jeffland · ‎07-13-2015

If you don't specifically set a sourcetype or any other settings when adding the input, I'd say splunk was smart enough to notice that this is IIS data and decided to use the header data. After all, it is a pretty distinguishable type of log.

rsathish47 · ‎07-13-2015

Thank you Jeffland.
Is their way to check all per defined header detail in splunk?

rsathish47 · ‎07-13-2015

I got the link
http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/Listofpretrainedsourcetypes

I didn't use INDEXED_EXTRACTIONS, but why are fields for my IIS logs still getting extracted properly in Splunk 6.2.1?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life