Solved: IIS Logs not Parsing as expected

djreschke · ‎10-25-2021

I have a props conf file that is not parsing data as i expected. I can see in the raw log that the IIS log has the header information in it.

[sourcetype]

DATETIME_CONFIG =
INDEXED_EXTRACTIONS = w3c
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 32
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Web
description = W3C Extended log format produced by the Microsoft Internet Information Services (IIS) web server
detect_trailing_nulls = auto
disabled = false
pulldown_type = true

When i manual upload the log file and assigning it to it will parse out the log with the same settings.

[sourcetypeA]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = w3c
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 32
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Web
description = W3C Extended log format produced by the Microsoft Internet Information Services (IIS) web server
detect_trailing_nulls = auto
disabled = false
pulldown_type = true

This props is on the searchhead were i am searching the data. The IIS logs is being capture via a UF.

Has anyone run into this before?

djreschke · ‎10-25-2021

Needed to create a transforms to fix the issue.

View solution in original post

djreschke · ‎10-25-2021

Needed to create a transforms to fix the issue.

IIS Logs not Parsing as expected

field extraction

Improve Your Security Posture

Maximize the Value from Microsoft Defender with Splunk

This Week's Community Digest - Splunk Community Happenings [6.27.22]