I am new to Splunk, so please forgive me if the answer to the question is obvious....
I am trying to index W3C IISlogs with splunk. First I tried to index the file locally on the Splunk server. I found a post that suggested that I should add the lines below to
[iisw3c]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
CHECK_FOR_HEADER = False
TZ = GMT
REPORT-iisw3cfields = iisw3cfields
TRANSFORMS-removecomments = removecomments
I also added these lines to transforms.conf
[removecomments]
REGEX = ^#.*
DEST_KEY = queue
FORMAT = nullQueue
[iisw3cfields]
DELIMS = " "
FIELDS = date,time,cs-method,cs-uri-stem,cs-uri-query,c-ip,sc-status,sc-substatus,sc-win32-status,sc-bytes,cs-bytes,time-taken
After that it works perfectly as long as I monitor a fodler on the Splunk server and uses my newly defined sourcetype.
Now I want the monitor to run on another remote server and then let the splunk server listen on a TCP port.
I can easily get something back, but now it doesn't recognise the format again. Even if I tell the listener that it is iis3wc.
I found a suggestion that I should add the Checkforheader = fasle on the forwarder, but I am uncertain where exactly to do it since the file structure is slightly different.
Any suggestions of what I have done wrong or what is missing?
... View more