On Indexer,. Create or edit " $SPLUNK_HOME\etc\system\local\props.conf" [iis] TZ = GMT pulldown_type = true MAX_TIMESTAMP_LOOKAHEAD = 32 SHOULD_LINEMERGE = False CHECK_FOR_HEADER = True REPORT - iis2 = iis2 Add more stanzas if nessesary (sample) [u_ex-too_small] rename = iis TZ = GMT pulldown_type = true MAX_TIMESTAMP_LOOKAHEAD = 32 SHOULD_LINEMERGE = False CHECK_FOR_HEADER = True REPORT - iis2 = iis2 [u_ex-2] rename = iis TZ = GMT pulldown_type = true MAX_TIMESTAMP_LOOKAHEAD = 32 SHOULD_LINEMERGE = False CHECK_FOR_HEADER = True REPORT - iis2 = iis2 Create or edit " $SPLUNK_HOME\etc\system\local\transforms.conf" [iis2] DELIMS = " " FIELDS = date, time(GMT), s-ip, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip, cs(User-Agent), sc-status, sc-substatus, sc-win32-status, time-taken I think this is default fields from IIS, add or remove if more or less fields are chosen. Restart splunkd service
... View more