Hello
I am having a difficult time getting Splunk to recognize fields from my IIS 7.5 logs. I know that there are many, many posts in splunk-base regarding this - I have looked through many of them and tried the suggested answers in at least 8-10 different posts. None of them have worked for me, eventhough I don't have a custom config - just a standard IIS server with logging enabled and default fields selected. The files get indexed, but the fields are not recognized (i.e. I cannot simply search for "time-taken > 50" within the data indexed from these logs)
Here is my full config:
Splunk versions:
Client UF: 4.3.3
Intermediary UF: 4.3.3
Indexer: 4.3.4
Client UF sends data to intermediary UF, which sends it to the indexer.
My config current config (and last attempt to make this work) on the Client UF is:
C:\Program Files\SplunkUniversalForwarder\etc\apps\app_A\default\inputs.conf
[monitor://C:\inetpub\logs]
disabled = false
followTail = 0
sourcetype = iisw3c
index = testindex
C:\Program Files\SplunkUniversalForwarder\etc\apps\app_A\default\props.conf
[iisw3c]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
CHECK_FOR_HEADER = true
TZ = GMT
REPORT-iisw3cfields = iisw3cfields
TRANSFORMS-removecomments = removecomments
C:\Program Files\SplunkUniversalForwarder\etc\apps\app_A\default\transforms.conf
[removecomments]
REGEX = ^\#.*
DEST_KEY = queue
FORMAT = nullQueue
[iisw3cfields]
DELIMS = " "
FIELDS = date, time, s-sitename, s-computername, s-ip, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip, cs-version, cs(User-Agent), cs(Cookie), cs(Referer), cs-host, sc-status, sc-substatus, sc-win32-status, sc-bytes, cs-bytes, time-taken
What I am doing wrong?
Thanks in advance!
... View more