I have added some IIS logs to Splunk via the "Files and Directories" input. While I can query the raw data it does not appear that Splunk is recognizing the format of these logs. For example when I query "source="\\xxxxxxxxx\IIS Logs*"" I receive the following results: 119.63.193.195, -, 5/21/2014, 23:59:53, W3SVC3, xxxxxxxxx , xx.xx.xx.xx, 187, 144, 2800, 200, 64, GET, /, -, date_hour = 23 date_mday = 21 date_minute = 59 date_month = may date_second = 53 date_wday = wednesday date_year = 2014 date_zone = local eventtype = wineventlog-index eventtype = winevents host = xxxxxxx index = main linecount = 1 punct = ...,-,//,::,,,...,,,,,,,/,-, source = \xxxxxxxxx\IIS Logs\u_in14052123.log sourcetype = u_in-too_small splunk_server = xxxxxxxxx timeendpos = 38 timestartpos = 19 The first part of the result "119.63.193.195" is the client IP that accessed this website. My issue is that splunk is not recognizing this field as the clientip. My logs are in IIS format. What am I doing wrong? Additionally, in the above results, what is "punct = ...,-,//,::,,,...,,,,,,,/,-,"? Thank you for your time. ... View more

Hello, I am currently using a trial version of Splunk 6.1 Enterprise. I am looking for a query that will create a report that shows a count of how many times files from our website were downloaded over a given period. There are about 10 different files names I need to report on. All file downloads will be PDFs. All IIS logs are indexed in Splunk under "Files and Directories". The logs are in the IIS format (not W3C) and Splunk does not appear to be recognizing the "target" field. Here is my query: *.PDF "\\UNC PATH TO SERVER LOGS\*" I get results with this query that shows the PDF access but I am unsure what to do next to get the information I need. ... View more