There is a work around if you choose not to re-index the log files. You can create a new eventtype that includes all the different iis sourcetypes. Then create a new iisFieldExtraction stanza in transforms.conf file that will be use in the props.conf to do search time field extractions.
Hope that makes sense. If not, here are some more details:
Create a new eventtype called "iislogs" using the following query:
sourcetype=*_iislogs OR sourcetype=iis*
"iis*" is used in case your indexer appends a -1 or -2 to your iis sourcetypes. I don't know why that's the case. It's suppose to have stopped doing that since version 4, but mine at version 4.2.4 is still doing it.
Anyway, now you have to add the following in transforms.conf file to define a generic field extraction information for your *_iislogs sourcetypes.
DELIMS = " "
Now, create a [servername_iislogs] stanza for all the iislogs sourcetypes in props.conf that looks like the following:
REPORT-iislogs = delimExtractionsIIS
REPORT-iislogs = delimExtractionsIIS
If the path to the iis log files on all the servers are identical, you can also use just a single "source" stanza for all the servers. For example, if all your iis log files are stored on d:\logs\iislogs you can just use the following:
REPORT-iislogs = delimExtractionsIIS
From now on, all your IIS related queries must begin with eventtype=iislogs .
example: eventtype=iislogs | table s-ip, c-ip
... View more