if you have deployment server and want to collect logs from web server through Universal Forwarder, the following may help you
install "Splunk app for web analytics" on SH
Install "splunk add-on for microsioft iis" on SH
Install "splunk add-on for microsioft iis" on IDX
Install UF on the web server
Copy the app “Splunk_TA_microsoft-iis” from $splunk home/etc/apps to “Splunk_TA_microsoft-iis” in $splunk home/etc/deploymentapps
Create inputs.conf in /$splunk home/etc/deploymentapps /Splunk_TA_microsoft-iis/local
monitor://C:\IIS-LOG-Files\W3SVC*.*
disabled = false
sourcetype =iis
index=my-index
Create props.conf in $splunk home/etc/deploymentapps/Splunk_TA_microsoft-iis/local
[iis]
INDEXED_EXTRACTIONS = w3c
make sure you have created output.conf in local directory to send logs to indexer
example of outputs.conf :
[tcpout]
defaultGroup = indexer
[tcpout:indexer]
server = indexer_IP:9997
autoLB = true
Create server class my-serverclass on DS(Deployment server)
Add the Splunk_TA_microsoft-iis to My-serverclass as the app
Create the index My index on IDX
Add the web server as client to My-server-class
Check the web server c:/programfile/splunkuniversalforwarder/ec/app to assure the app Splunk_TA_microsoft-iis is pulled
Restart the splunkuniversalforwarder service on web server
Search for sourcetype iis and index My-index on SH
... View more