This application includes several FIELDALIAS comands in props.conf for the sourcetypes defined. One of these is "FIELDALIAS-s_computername = s_computername as host" which reassigns the host value at search time from the value of s_computername in the event. We don't log the host name in all of our IIS events so Splunk pulled the port (80 or 443) into this field resulting in the majority of our events showing the port for the host.
My question is: Is it a standard practice to send IIS logs through a syslog server? This setting seems like it would only be only helpful under that scenario. If IIS logs are sent through a syslog server then I would need to have IIS include the hostname so I could pull it from there. Otherwise all events would have the syslog server as the host.
If it is not a standard practice, and I don't think it is, why is this a default setting in the app?
Thanks kmorris. The solution was to comment out the offending line. Since this is a search time config, that fixed the issue retroactively.
The question, however, is why is that setting enabled by default? It seems to support an infrequent use case which means it should not be enabled by default.
Thanks kmorris. The solution was to comment out the offending line. Since this is a search time config, that fixed the issue retroactively.
The question, however, is why is that setting enabled by default? It seems to support an infrequent use case which means it should not be enabled by default.
a lot has changed in the way you set up parsing addons since this was initially made. Back in Splunk 6.x normally you would see FIELDALIAS rules for all fields that the data provided to normalize it.
FIELDALIAS frequently causes problems now due to the new way it works, and NULLs overriding actual data is a problem if there is no source field matching the FIELDALIAS definition. Back in Splunk 6.x, you would not have this issue, as the lack of a source field (s_computername) would result in the FIELDALIAS getting skipped, and the host field you already had would still be there when you search.
On the other hand, overriding host for Splunk data on a forwarder is unneccessary in most cases, as the host field would already exist, it would make sense for the maintainer of this add-on to remove or disable this one in particular.
Thanks for the follow up with the solution!
I changed the line
FIELDALIAS-s_computername = s_computername as host
to
FIELDALIAS-s_computername = s_computername ASNEW host
so it won't overwrite the value with null() since my IIS logs don't have s_computername field
Typically, IIS logs are ingested directly from the web server using a universal forwarder. Take a look at the documentation for the Add-on here. I'm not sure if that gets you around the issue of not logging the host or not.