@Tom_Lundie , thanks for your response. Have checked and the index=windows_iis is definitely enabled. Have double checked to make sure that there is no typo's here between name of index and what is in the inputs.conf monitor stanza. The UF is definitely outputting traffic to this index I ran a btool on outputs.conf on the IIS UF, and it is only forwarding traffic out to the one Splunk server. As a part of this work i also enabled the collection of some perfmon stats on this IIS server as well (going into a different directory). These are coming through ok. Where would i find info on routing? If I do a search on my Splunk Enterprise server for: index=_internal source="/opts/splunk/var/log/splunk/splunkd.log" "deleted index", I'm not seeing any results. Further looking through the metrics log on the IIS server. I can see: group=per_source_thruput, series="C:\inetpub\logs\logfiles\w3svc1\<log_file_name>.log." is showing packets being sent against each of the log files in that directory. So definitely seems to be monitoring the right files. group=per_sourcetype_thruput, series="ms:iis:auto" is showing packets being sent. group=thruput, name=idxsummary, series="windows_iis" is showing packets being sent. group=per_index_thruput, series="windows_iis" is showing packets being sent to the correct index. If I look at the metrics.log file on my Splunk Enterprise server, I can see that: group=per_index_thruput, series="windows_iis" has non zero eps and ev parameter .... so presumably the splunk enterprise server is seeing this traffic for this index arriving. group=per_sourcetype_thruput, series="ms:iis:auto" has non zero eps and ev parameter .... so presumably the splunk enterprise server is seeing this traffic for this sourcetype arriving.
... View more