Splunk Search

Why are fields not being extracted from my iis logs

k2skaterii
Path Finder

I am running version 6.3.0 on my indexer and all my universal forwarders. I'm currently trying to get things configured properly on one of my iis servers before pushing this configuration out to all of my other iis servers.

The iis logs are being forwarded to my index, but the only fields that are being extracted are host, source and sourcetype.

The inputs.conf on my iis server contains:

[monitor://<log_location>]
sourcetype = iis
index = iis_logs

The props.conf on my iis server contains:

[iis]
INDEXED_EXTRACTIONS = w3c

My indexer contains the default props.conf which includes

[iis]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = false
INDEXED_EXTRACTIONS = w3c
detect_trailing_nulls = auto
category = web
description = w3c Extended log format produced by the Microsoft Internet Information Services (IIS) web server

Am I missing something that is preventing my indexer from extracting the fields from the iis logs?

0 Karma
1 Solution

woodcock
Esteemed Legend

When you use INDEXED_EXTRACTIONS, the field creation happens on the forwarder. I do not see any reason to have a separate props.conf configuration on your Indexer form what is on your forwarder. Put everything in the same file, deploy this props.conf file to your Forwarders and restart the splunk instances there and it should work fine.

View solution in original post

0 Karma

woodcock
Esteemed Legend

When you use INDEXED_EXTRACTIONS, the field creation happens on the forwarder. I do not see any reason to have a separate props.conf configuration on your Indexer form what is on your forwarder. Put everything in the same file, deploy this props.conf file to your Forwarders and restart the splunk instances there and it should work fine.

0 Karma

k2skaterii
Path Finder

Water is wet. The Sky is blue. And computers do crazy crap.

Yesterday around noon, I pulled the props.conf out of the deployment app. When I left work fields were not being extracted. This morning when I showed up fields are being extracted.

While I'd like to spend time figuring out why.... I'm moving on to the next task. Figuring out how to filtering out the unnecessary iis-logs.

0 Karma

k2skaterii
Path Finder

While a couple of years old, but I was referencing the following blog when I was trying to configure Splunk to pull in the iis logs.

http://blogs.splunk.com/2013/10/18/iis-logs-and-splunk-6/

The props.conf that is on the indexer is the default configuration file. I've tried copying the entire [iis] stanza from the props.conf on the indexer into the props.conf in the app that is being deployed to the universal forwarder, but that didn't help. Fields are still not being extracted.

I've also tried completely removing the props.conf from the app that is being deployed to the universal forwarder, that did not help either, same results.

All of my host are pointing to a heavy forwarder, which is forwarding the data onto the indexer. Could that be complicating things?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...