Splunk Search

IIS Logs not Parsing as expected

djreschke
Communicator

I have a props conf file that is not parsing data as i expected. I can see in the raw log that the IIS log has the header information in it. 

 

[sourcetype]

DATETIME_CONFIG =
INDEXED_EXTRACTIONS = w3c
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 32
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Web
description = W3C Extended log format produced by the Microsoft Internet Information Services (IIS) web server
detect_trailing_nulls = auto
disabled = false
pulldown_type = true

 

When i manual upload the log file and assigning it to it will parse out the log with the same settings.

 

[sourcetypeA]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = w3c
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 32
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Web
description = W3C Extended log format produced by the Microsoft Internet Information Services (IIS) web server
detect_trailing_nulls = auto
disabled = false
pulldown_type = true

 

This props is on the searchhead were i am searching the data. The IIS logs is being capture via a UF.

 

Has anyone run into this before?

Labels (1)
Tags (1)
0 Karma
1 Solution

djreschke
Communicator

Needed to create a transforms to fix the issue. 

 

View solution in original post

0 Karma

djreschke
Communicator

Needed to create a transforms to fix the issue. 

 

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...