Getting Data In

Does sourcetype=iis work for W3SVC logs with all fields?

kmower
Communicator

I am still trying to work out sourcetype=iis . I am aware of the Add-On for IIS and have installed it, but I want to use the Splunk App for Web Analytics - and I am still unsure as to if I have to have IIS Add-On for Splunk or if sourcetype=iis should be able to parse W3SVC logs from iis, which are default I believe. That is, iis has three options for logging: iis, NCSA, and W3SVC ... all of which are 'iis logs'

So, can someone please tell me what sourcetype=iis will actually read? The IIS 'iis' log type only, or more of the 'iis log formats'? Thank you.

Tags (2)
0 Karma

tsaikumar009
Explorer

The Splunk App for Web Analytics currently supports data from Apache, IIS and AWS Cloudfront logs. Make sure you use the sourcetypes access_common, access_combined, iis, apache:access or aws:cloudfront:accesslogs for this data. If you already have data in Splunk under a different sourcetype you can use sourcetype renaming or by modifying the eventtype web-traffic to include the names of your sourcetypes.

from the web analytics description:

you need to add W3SVC logs to route to sourcetype=iis, then the app will pickup logs automatically.

0 Karma

kmower
Communicator

Thanks. Can you tell me how to route the W3SVC logs to sourcetype=iis ? If so, does that mean that I do not need to use Microsoft IIS Add-On for iis logs and that I can use W3SVC logs as sourcetype=iis without doing anything else ? The existence/use of the IIS Add-On has confused me, I must admit. Thanks again.

0 Karma

tsaikumar009
Explorer

ms:iis:auto Microsoft IIS log files in W3C format. Use this source type to enable index-time field extraction.

ms:iis:default Microsoft IIS log files in W3C format. Use this source type to enable search-time field extraction.

The above are the two sourcetypes which will be created using IIS add for microsoft.

But for webanalytics, the data is loaded automatically for dashboards, considering the the role has appropriate permissions to read W3SVC logs.

If your data is stored in an index that is not searched by default for your Splunk user, you need to add All non-internal indexes (or the specific index in question) to the Selected indexes in Access controls -> Roles -> [ROLE NAME]

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...