All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to parse IIS Web logs (from Splunk Add-on for AWS) with Splunk Add-on for Microsoft IIS?

Log_wrangler
Builder
‎05-07-2018 09:39 AM

I have IIS web logs in an index where the sourcetype = aws:s3 and source=s3://my_aws_logs/webserver/logs/random_num.log

I need to parse this source with the Splunk Add-on for Microsoft IIS to search thru loads of web server logs.

Please advise next steps or how I might parse these logs.

Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎05-07-2018 10:08 AM
  1. Download and install the Splunk Add-on for Microsoft IIS.
  2. Create a folder named local in $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis
  3. Copy the props.conf file from default to local
  4. Edit the local/props.conf file and rename [ms:iis:default] to [source::s3://my_aws_logs/webserver/logs/random_num.log]
  5. Restart Splunk

Note: you can wildcard the [source:: stanza if you have multiple sources.

Basically, the steps above are adding search-time knowledge to your indexed data. You may need to modify transforms.conf if the file names are not matching. Here is the documentation on that -> http://docs.splunk.com/Documentation/AddOns/released/MSIIS/Configuretransforms

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎05-07-2018 10:08 AM
  1. Download and install the Splunk Add-on for Microsoft IIS.
  2. Create a folder named local in $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis
  3. Copy the props.conf file from default to local
  4. Edit the local/props.conf file and rename [ms:iis:default] to [source::s3://my_aws_logs/webserver/logs/random_num.log]
  5. Restart Splunk

Note: you can wildcard the [source:: stanza if you have multiple sources.

Basically, the steps above are adding search-time knowledge to your indexed data. You may need to modify transforms.conf if the file names are not matching. Here is the documentation on that -> http://docs.splunk.com/Documentation/AddOns/released/MSIIS/Configuretransforms

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎05-09-2018 08:51 AM

I tried your suggestion but I am not seeing the fields parse out differently. Do you think I need to override the aws:s3 sourcetype and change it to ms iis sourcetype?

thanks

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎05-11-2018 07:26 AM

Looks like there was an ID10T error causing it not to work, but it does now, thx

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎05-07-2018 11:47 AM

Thank you I will test it and let you know.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...