I keep all the IIS web sites in the following folder: D:\inetpub\LogFiles
So the tree would look like this:
D:\inetpub\LogFiles
|-> W3SVC1
|-> W3SVC2...etc.
My input.conf is set as follows:
[monitor://D:\inetpub\LogFiles]
sourcetype=iis
ignoreOlderThan = 14d
HOWEVER...It appears that the logs are coming in and splunk is applying the following sourcetypes, seemingly at random to these IIS Log files:
iis
iis-2
iis-3
iis-4
Why? The logs are exactly the same. What are all of these others sourcetypes (iis-
This answer explains what goes on in detail: http://splunk-base.splunk.com/answers/72860/sourcetypes-keep-on-multiplying