Splunk® Supported Add-ons

Splunk Add-on for Microsoft IIS

Configure recommended fields in the Splunk Add-on for Microsoft IIS

Splunk recommends you configure these fields for your business needs. There are different configuration instructions for different versions of Microsoft IIS.

For Microsoft IIS versions 8.5 and 10.0

  1. Open IIS Manager.
  2. On server, site or application level, double click on Logging.
  3. Click Select Fields.
  4. In W3C Logging Fields window, select all the fields listed under Standard Fields.
  5. Next, click "Add Field under "Custom Fields box.
  6. In the Add Custom Field window, fill out the following fields and click on OK after adding each fields in top-down order.
    Field Name Source type Source
    X-Forwarded-For Request Header X-Forwarded-For
    Content-Type Request Header Content-Type
    https Server Variable HTTPS
  7. Click OK in the W3C Logging Fields window.
  8. Click Apply in the actions pane.

For Microsoft IIS versions 7, 7.5 and 8.0

  1. Open IIS Manager.
  2. On server, site or application level, double click Advanced Logging.
  3. In the action pane on right side, click Enable Advanced Logging.
  4. In the action pane, click Edit Logging Fields.
  5. In the new window, click Add Field.
  6. In Add Logging Field window, fill out the following fields and click on OK after adding the below fields in top-down order:
    Field Name Source Type Source
    X-Forwarded-For Request Header X-Forwarded-For
    Content-Type Request Header Content-Type
    https Server Variable HTTPS
  7. In the middle pane, select the default log definition %COMPUTERNAME%-Server. Click Edit Log Definition.
  8. Click Select Logging Fields.
  9. Select X-Forwarded-For, Content-Type and https from the list. Click OK.
  10. Click Apply in the actions pane.
Last modified on 21 July, 2021
Configure field transformations in the Splunk Add-on for Microsoft IIS   Troubleshoot the Splunk Add-on for Microsoft IIS

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters