I think given there are multiple versions of IIS being run in the data center, it isn't as easy as the pull down auto-sourcetyping splunk provides for "IIS". In cases where W3C exists, there is also normally W3SVC1 as well. So, first define your problem. Do you have IIS6, IIS7 and/or IIS7.5 as you would in 2008 environments. Each of these look a little different: IIS for 6.0 and IIS-n, or IIS-n+1 when auto-sourcetyped for IIS 7.0 or IIS 7.5.
For example - here is IIS7.0 logging example:
2010-01-08 03:28:31 W3SVC1 WS1 GET /favicon.ico - 80 - 10.3.200.2 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+6.1;+en-US;+rv:1.9.1.6)+Gecko/20091201+Firefox/3.5.6 - - 10.20.100.10 404 0 2 1405 356 15
2010-01-08 03:28:31 W3SVC1 WS1 GET /favicon.ico - 80 - 10.3.200.2 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+6.1;+en-US;+rv:1.9.1.6)+Gecko/20091201+Firefox/3.5.6 - - 10.20.100.10 404 0 2 1405 356 31
2010-01-08 03:28:31 W3SVC1 WS1 GET /favicon.ico - 80 - 10.3.200.2 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+6.1;+en-US;+rv:1.9.1.6)+Gecko/20091201+Firefox/3.5.6 - - 10.20.100.10 404 0 2 1405 356 31
note the replacement of whitespace with a '+' and also what you don't see here, is additional values attached to the HTTP Status codes: http://support.microsoft.com/kb/943891
So, don't get frustrated if you find your auto-sourcetyping isn't working in your ~/local/props.conf. Make sure you are taking into account the new delimiter for each sourcetype.
... View more