It could just be me and my configuration, but somethings is amiss.
on my iis server I have:
[monitor://D:\Logs\WebLogs\*\*.log]
disabled = false
sourcetype = ms:iis:auto
ignoreOlderThan = 14d
index = iis1
and I have installed "Splunk Add-on for Microsoft IIS" v1.0
From, there I thought is was pretty straight forward, if using w3c and auto, with the latest version of Splunk, it should be able to parse and index correctly, but it is not.
When I do a basic search, looking at the index, I have a number of entries called fieldx(1,2,3,4,...) as well as EXTRA_FIELD_X
these fields, I can live with, the real issue is with the data indexing.
For instance:
under c_host, I have HTTP/1.1
under c_ip the only value is 80
dest_ip has HTTP/1.1
s_port shows /ActiveEfficiency/Devices/
this goes on and on, making the data fairly useless. While it is there and all, it is difficult to get any function out of the dashboards as "Activity by HTTP Method" shows me server names.
So, the question would be, is the issue the way Splunk is processing/indexing the data or the way the forwarder is presenting it to the Splunk server?
Hopefully this is something simple to fix and will not require custom transforms and props.conf files as that would defeat the purpose of the advertised improved iis indexing ability of Splunk. Or, maybe I completely misjudged things and am expecting something that is not.
thanks
... View more