Configure field transformations in the Splunk Add-on for Microsoft IIS
If you are using the ms:iis:default, or ms:iis:default:85 or ms:iis:splunk source type to enable search-time field extraction, perform the following additional steps on your search heads.
If you are using the ms:iis:auto source type, skip this procedure. The ms:iis:auto source type enables automatic index-time field extraction, so you do not need to configure these field transformations.
You can complete this configuration on Splunk Web or in the configuration files. If you are using this add-on with a search head cluster, perform these configuration steps on one search head node in Splunk Web. The cluster syncs the settings to your other nodes.
Configure field extractions in Splunk Web
- Use a text editor to open an IIS W3C-standard log file from the directory you configured the Splunk platform to monitor.
- In the log file, locate the field head line, which begins with
#Fields:. For example:#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken https. - Copy the field header line to your clipboard, omitting
"#Fields: " - On your search head, click Settings > Fields.
- Click Field transformations.
- In the App drop-down, set the app context to Splunk Add-on for Microsoft IIS (Splunk_TA_microsoft-iis)
- Click on the applicable field transformation and edit for the configured sourcetype:
- In the Fields list field, delete the text that appears and paste the contents of your clipboard.
- Check to make sure the Fields list field exactly matches the field head line from your log file, with "#Fields:" omitted.
- Click Save.
| Field Transformation | Source Type |
|---|---|
| auto_kv_for_iis_default | ms:iis:default |
| auto_kv_for_iis_default_85 | ms:iis:default:85 |
| auto_kv_for_iis_splunk | ms:iis:splunk |
Configure field extractions using configuration files
- Use a text editor to open a IIS W3C-standard log file from the directory you configured the Splunk platform to monitor.
- In the log file, locate the field head line, which begins with
#Fields:and copy it to your clipboard. For example:#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken https - Paste the head line from the clipboard at the $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis/local/transforms.conf in the following manner:
Sourcetype Stanza name in transforms.conf Example ms:iis:default auto_kv_for_iis_default [auto_kv_for_iis_default] DELIMS = " "
FIELDS = date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status https
ms:iis:default:85 auto_kv_for_iis_default_85 [auto_kv_for_iis_default_85] DELIMS = " "
FIELDS = date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken https
ms:iis:splunk auto_kv_for_iis_splunk [auto_kv_for_iis_splunk] DELIMS = " "
FIELDS = date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken X-Forwarded-For Content-Type https
- Save
transforms.conf. - Restart the search head for the configuration to take effect.
| Configure inputs in the Splunk Add-on for Microsoft IIS | Configure recommended fields in the Splunk Add-on for Microsoft IIS |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Download manual
Feedback submitted, thanks!