All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cannot produce fields from IIS logs - please help

dmitry_nechaev_
Engager
‎05-09-2019 11:57 PM

I'm new to Splunk

I have a trivial task of analyzing ISS logs.
So I
- installed Splunk on local computer.
- installed "Splunk Add-on for Microsoft IIS"
- Created data source from folder, using ms:iis:auto as source type and Splunk_TA_microsoft-iis.
alt text

When I do search after the source was created it displays no IIS log fields, but some internal ones only.
alt text

I can not understand from documentation what should I do to see IIS fields in IIS log files.
I tried all combinations, like default application, source type iis or ms:iis:default - same outcome.

Please help.

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

dmitry_nechaev_
Engager
‎05-13-2019 05:28 PM

As a new person to Splunk I could not achieve basic functionality of reading W3C log.
I used Log Parser to achieve the aim.

The outcome in regards to Splunk - I deleted it and developed a negative bias to that tech.

0 Karma
Reply

Sukisen1981
Champion
‎05-11-2019 03:43 AM

Hi ,
There are 2 things here, testing the events as you want them and doing it in production-
Since you know the path of the logs you are trying to index, and for testing
got to settings > add data > monitor > files & directories > select the folder/file you want to monitor.

Once you do this you should be able to see if data gets indexed in your local splunk, that would rule out issues with the source data.
We did this for one of our production apps AND we did not use the add in app. Once we were sure of the data indexed by testing through continuous monitoring, we simply added a forwarder to send the logs from the specific folder to the production splunk instance.
WARNING - If you do decide to monitor the logs manually. keep an eye on the data being indexed , you could run out of your trial license limits...

0 Karma
Reply

dmitry_nechaev_
Engager
‎05-12-2019 04:39 PM

hi @Sukinen1981

As this point of time I want to verify the software can work with IIS logs.
I added the source folder using "got to settings > add data > monitor > files & directories > select the folder/file"
Nothing changed. Splunk does import files BUT does NOT parse the log.
It just displays log lines, regardless header or data, and does not parse into fields.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...