I have run into the same problem, and ended up specifying the extractions manually. The following will work for IIS W3C (with all fields enabled) as well as the HTTPERR log (which is what you are looking to index):
props.conf:
[iisw3c]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
CHECK_FOR_HEADER = False
TZ = GMT
REPORT-iisw3cfields = iisw3cfields
TRANSFORMS-removecomments = removecomments
[iishttperr]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
CHECK_FOR_HEADER = False
TZ = GMT
REPORT-iishttperrfields = iishttperrfields
TRANSFORMS-removecomments = removecomments
transforms.conf
[removecomments]
REGEX = ^\#.*
DEST_KEY = queue
FORMAT = nullQueue
# IIS W3C Log field extractions (Identical in IIS 6 and 7)
# These assume that you have enabled all available fields to be logged
[iisw3cfields]
DELIMS = " "
FIELDS = date,time,s-sitename,s-computername,s-ip,cs-method,cs-uri-stem,cs-uri-query,s-port,cs-username,c-ip,cs-version,cs(User-Agent),cs(Cookie),cs(Referer),cs-host,sc-status,sc-substatus,sc-win32-status,sc-bytes,cs-bytes,time-taken
[iishttperrfields]
DELIMS = " "
FIELDS = date,time,c-ip,c-port,s-ip,s-port,cs-version,cs-method,cs-uri,sc-status,s-siteid,s-reason,s-queuename
and then specify a sourcetype of [iisw3c] or [iishttperr] for your monitor in inputs.conf.
... View more