Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

W3C Fields With Light Forwarder - Still don't have it

dveith
Explorer
‎09-24-2010 12:18 AM

Please advise.

Linux Splunk Server 4.1.5 Light forwarder is installed on Windows IIS web Servers Trying to get W3C Extended fields available for searching on the Splunk Server. the data is forwarded, just not with fields defined.

Windows IIS Servers have this inputs.conf

[default]
host = servername

[monitor://C:\WINNT\system32\LogFiles\W*\ex*.log]
SOURCETYPE = iis

Records also display with source types "IIS" "IIS-1" IIS-5" on the Splunk server.

What the best way to configure this to the IIS logs have their W#C Extended fields available for searching?

thanks.

Tags (2)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-24-2010 03:15 AM

Yeah. So, the default settings in props.conf don't work well if you're using a forwarder for IIS log files, which admittedly a lot of people do (and should do).

Here's what I would do. First, SOURCETYPE should be sourcetype, i.e., lower-case. Next, on the forwarder (where the input phase occurs, reference) add this to a props.conf next to your inputs.conf:

 [iis]
 CHECK_FOR_HEADER = false

Then, on the search head, configure your fields manually in a props.conf:

 [iis]
 REPORT-iisfields = iisfields

and transforms.conf

[iisfields]
DELIMS = " "
FIELDS = date,time,csWhatever,csWhatever2,csNextField,scMoreInfo

If you have multiple different sets of fields (e.g., different servers/instances/sites log different fields), then specify a different sourcetype for them in inputs, and define different fields for it on the search head.

Reply

dveith
Explorer
‎09-24-2010 10:13 PM

Hi, I will submit an enhancement request. And before I saw you note I got it working sending to a null queue. Thanks for your help!!

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-24-2010 09:46 PM

I would also encourage you to file an enhancement request (aka P4 support ticket) on this. This is something that Splunk should fix, and if the "Getting Data In" tasks for the next version do anything at all, it should deal with this issue.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-24-2010 09:45 PM

You can mostly just ignore them, or construct your search queries to ignored them (e.g., NOT user=csUser or whatever will exclude those items) Otherwise you can do a TRANSFORMS at index time and filter out (nullQueue) anything that matches ^#

0 Karma
Reply

dveith
Explorer
‎09-24-2010 09:24 PM

gkanapathy, this worked well. Except the header records make it through now too. How can I eliminate them?

0 Karma
Reply

dveith
Explorer
‎09-24-2010 03:55 PM

Thank you for your excellent response. We do have different sets of fields for different web sites on the same IIS servers so we will need to specify multiple sourcetypes and fields. Thanks for that tip too.

It's things like this that still make me feel that Windows is still a second-class citizen to Splunk.

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎09-24-2010 03:56 AM

Why is this still painful? Amazing....

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...