I have been trying to find some information on getting IIS Advanced logging data parsed correctly in splunk. I worked through creating a separate sourcetype, and modifying the fields through the splunk web interface, but this is not entirely consistent as the header data is now indexing with the new sourcetype. I plan on filtering that out, but I get the feeling I am creating a lot more work than this should be. It seems Splunk should have something built in to handle advanced logs consistently? Does anyone have any advice, or points to a document that I can refer to for making this happen? Thanks a bunch.
... View more