Because of some of the changes in the way certain fields were generated using Advanced Logging (like the lack of + for spaces in certain fields, like the User Agent), we changed delimiters from just a space or tab to a pipe ( | ) by editing the C:\Windows\System32\inetsrv\config\schema\IISAdvancedLogging_schema.xml file.
We changed this line:
<attribute name="delimiter" type="string" defaultValue=" " />
to this
<attribute name="delimiter" type="string" defaultValue="|" />
Then we defined the fields in our transforms.conf like this (trying to stick with all of the usual IIS log field names because we have lots of searches using them from before our switch from standard to advanced logging):
[adviis_fields]
DELIMS="|"
FIELDS="date","time","s-ip","cs-method","cs-uri-stem","cs-uri-query","cs-username","c-ip","cs(User-Agent)","sc-status","sc-substatus","sc-bytes","cs-bytes","time-taken"
Works great for us.
... View more