I am indexing W3C Extended IIS logs and have found that Splunk is extracting column headers from the logs, but due to the "#Fields: " text at the beginning of the line introducing the column headings, each piece of data is associated with the wrong column.
It seems that Splunk is considering "#Fields:" as a column header as well, so the date of each log entry is associated with #Fields, the time is associated with date, the cs-method is associated with time, and so on.
Any ideas of how to correct this? I can't seem to find any method to tell IIS to add a CRLF after the "#Fields:" string so that the column headers align properly with their data.
You will need to set up the headers of the columns manually that will be extracted. See this Q/A. Basically, you will set up a manual extraction defined by the sourcetype of the IIS logs that you are indexing. Hope this helps.