- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Difference between input.conf and search results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
This is my input.conf on the iis server:
[monitor://D:\IISLogs\W3SVC2]
index=iis_db
sourcetype=iis
However, this is my search result returns ii-2 instead of iis.
Is there a reason why the sourcetype in my search result is iis-2 instead of iis?
There are no changes to the index or sourcetype in transform.conf or props.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IIS is a built-in sourcetype for Splunk. But IIS is not a simple sourcetype - it has many variants. So I often see that Splunk will assign a suffix to iis. You can expect to see iis-2, iis-3, etc. etc.
In Splunk 6, there are new ways to deal with IIS inputs. You might want to take a look at this blog entry:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi somesoni2, in props.conf, there are no changes being made to the sourcetype.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IIS is a built-in sourcetype for Splunk. But IIS is not a simple sourcetype - it has many variants. So I often see that Splunk will assign a suffix to iis. You can expect to see iis-2, iis-3, etc. etc.
In Splunk 6, there are new ways to deal with IIS inputs. You might want to take a look at this blog entry:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay will try this out. Thanks again Iguinin.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can. You could also use a sourcetype alias, which might be easier.
http://docs.splunk.com/Documentation/Splunk/6.1/Data/Renamesourcetypes
The docs link talks about how to do this by editing the config file, but it is really easy to do from the UI. As a Splunk admin, go to Manager -> Fields -> Sourcetype renaming
Use this to rename the iis-2 sourcetype to plain iis. You only need to do this once for each of the weird names that Splunk assigns...
The other nice thing about sourcetype renaming is that you don't have to re-index any data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see. So in that case if I don't want it to be index this way, I should change the sourcetype to something else so that I can filter based on what I want?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, although you obviously don't get the cool new ways to deal with the inputs. 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi lguinn. Thanks for the reply. Is the assigning of suffix to iis happening for versions below 6? I am currently using 4.3.3.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you provide your sourcetype definition from props.conf as well?
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
