Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are the time stamps taken from the file change time for IIS?

ddrillic
Ultra Champion
‎05-22-2019 08:32 AM

For some reason, the _time for the ms:iis:auto events are taken from the file change/create time, which seems to be either the creation or the daily rotation time.

In the file itself the date/stamp look just fine -

2017-07-01 00:00:00 10.106.180.47 GET /cl_includes/sitemin....
2017-07-01 00:00:00 10.106.180.47 GET /cl_includes/common_....
2017-07-01 00:00:00 10.106.180.47 GET /cl_includes/images/....
2017-07-01 00:00:00 10.106.180.47 GET /health.html - 443 -....
2017-07-01 00:00:01 10.106.180.47 GET /health.html - 443 -....
2017-07-01 00:00:06 10.106.180.47 GET /health.html - 443 -....
2017-07-01 00:00:06 10.106.180.47 GET /health.html - 443 -....
Tags (2)
Reply

ddrillic
Ultra Champion
‎05-23-2019 07:35 AM

ms:iis:auto doens't work for us while ms:iis:default with TZ adjustment works - weird.

0 Karma
Reply

koshyk
Super Champion
‎05-26-2019 02:03 AM

@ddrillic , mate did you find a working configuration?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-22-2019 03:07 PM

We recently went through this and we found best luck with ms:iis:auto but we only had to install the TA on the forwarders and search heads, not the indexers

Reply

ddrillic
Ultra Champion
‎05-23-2019 07:47 AM

Really interesting @jkat54.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-26-2019 05:14 AM

I believe we did install it everywhere but the trick was that the universal forwarder needed it.

0 Karma
Reply

ddrillic
Ultra Champion
‎05-22-2019 09:20 AM

A colleague said -

When it comes to the IIS TA, only one of the sourcetypes will actually work on the indexers whereas the second sourcetype needs to have either the TA or a separate props.conf deployed to the forwarder since it’s using INDEXED_EXTRACTIONS.

Deploying the full TA is overkill, IMO. Just need to throw in the following into a new props.conf for the forwarder and you’re all set.

 INDEXED_EXTRACTIONS = w3c
 TIMESTAMP_FIELDS = date, time
0 Karma
Reply

koshyk
Super Champion
‎05-22-2019 09:24 AM

agreed. The TA is not upto normal quality/standard

If you really wish, you can take the bits out of the TA and create your own and re-use the sourcetype.

Reply

koshyk
Super Champion
‎05-22-2019 09:08 AM

how does your raw data look like? (or is the output above from raw file itself?)

0 Karma
Reply

ddrillic
Ultra Champion
‎05-22-2019 09:17 AM

Looks the same as the file itself above...

0 Karma
Reply

koshyk
Super Champion
‎05-22-2019 09:26 AM

may be it is easier to extract timestamp and event_breaker yourself

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...