I have a Splunk Standalone instance running at v8.2.10 I have recently installed the Microsoft Add-on for Microsoft IIS (version 1.2.0) on my Splunk server and have also deployed this app to a windows server with IIS installed (and a UF installed). However I seem to be having difficulties getting any logs from this IIS server.  If I do a search on data in this new index (index=windows_iis), it is returning no results. If I look under Settings>indexes, I can see the newly created index, however it has 0 for event count.   These were the basic steps I have followed so far: I have created a new index for these logs called "windows_iis" - all other settings as default. Installed the Microsoft Add-on for Microsoft IIS on my Splunk Enterprise instance (combined Search Head/Indexer/deployment server). I have copied the contents of this add-on to the /opt/splunk/etc/deployment-apps folder Within the deployment app I have created the following inputs.conf file under the deployment app local directory: [monitor://C:\inetpub\logs\LogFiles] disabled=false sourcetype=ms:iis:auto index=windows_iis I have reloaded the deployment server. I have created a new server class and pushed this app out to the IIS server.  I have gone through and done the following troubleshooting steps: looking on the IIS server in c:\program files\splunkuniversalforwarder\var\log\splunk\splunkd.log, I can see: UF on IIS server is showing connected to my indexer. The UF has "adding watch on path: C:\inetpub\logs\LogFiles". So the UF is monitoring the IIS log files. I am also getting some INFO messages - "ChunkedLBProcessor Failed to find EVENT_BREAKER regex in props.conf for sourcetype: ms:iis:auto. Reverting to the default EVENT_BREAKER regex for now". Not sure how relevant these are? I think my problem might be more fundamental? If I do a search on my Splunk Enterprise instance as follows: "index=_internal host="IIS_Server01" component=Metrics group=per_sourcetype_thruput series="ms:iis:auto" ", I can events being sent from the UF on the IIS server (e.g kbps=0.557, eps=3.3, kb=33, ev=202). I can actually see logs in C:\inetpub\logs\LogFiles\W3SVC1 folder on the IIS server, so there is data there to collect.  Does the modified local/inputs.conf need to also be configured on the Splunk Enterprise server app or is this inputs.conf configuration only needed on the UF deployment app (which is what I have done)? Any thoughts on why these events aren't being ingested by my Splunk Enterprise server would be greatly appreciated. Thanks, ... View more

I have a standalone instance of Splunk. I am running both: Splunk Add-on for Unix and Linux, and Splunk App for Unix. Since the Splunk App for Unix has reached End-of-Life and is not required in my deployment anymore i am looking to remove it. Initially i tried just using Splunk command: ./splunk remove app splunk_app_for_nix However noticed that this impacts the index "os" used by the Splunk Add-on for Unix and Linux. The index no longer appears in the web gui under settings>indexes. If i look in the CLI, i can still see data in /opt/splunk/os/db, so the data still appears to be there, but is not being used apparently.... I am getting Message saying "Received event for unconfigured/disabled/deleted index=os ...", so am not entirely sure what the status of this index is now. What is the best way to remove this app without affecting the index? Thanks,     ... View more