Splunk® Supported Add-ons

Splunk Add-on for Microsoft IIS

Configure field transformations in the Splunk Add-on for Microsoft IIS

If you are using the ms:iis:default, or ms:iis:default:85 or ms:iis:splunk source type to enable search-time field extraction, perform the following additional steps on your search heads.

If you are using the ms:iis:auto source type, skip this procedure. The ms:iis:auto source type enables automatic index-time field extraction, so you do not need to configure these field transformations.

You can complete this configuration on Splunk Web or in the configuration files. If you are using this add-on with a search head cluster, perform these configuration steps on one search head node in Splunk Web. The cluster syncs the settings to your other nodes.

Configure field extractions in Splunk Web

  1. Use a text editor to open an IIS W3C-standard log file from the directory you configured the Splunk platform to monitor.
  2. In the log file, locate the field head line, which begins with #Fields:. For example: #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken https.
  3. Copy the field header line to your clipboard, omitting "#Fields: "
  4. On your search head, click Settings > Fields.
  5. Click Field transformations.
  6. In the App drop-down, set the app context to Splunk Add-on for Microsoft IIS (Splunk_TA_microsoft-iis)
  7. Click on the applicable field transformation and edit for the configured sourcetype:
  8. Field Transformation Source Type
    auto_kv_for_iis_default ms:iis:default
    auto_kv_for_iis_default_85 ms:iis:default:85
    auto_kv_for_iis_splunk ms:iis:splunk
  9. In the Fields list field, delete the text that appears and paste the contents of your clipboard.
  10. Check to make sure the Fields list field exactly matches the field head line from your log file, with "#Fields:" omitted.
  11. Click Save.

Configure field extractions using configuration files

  1. Use a text editor to open a IIS W3C-standard log file from the directory you configured the Splunk platform to monitor.
  2. In the log file, locate the field head line, which begins with #Fields: and copy it to your clipboard. For example: #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken https
  3. Paste the head line from the clipboard at the $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis/local/transforms.conf in the following manner:
    Sourcetype Stanza name in transforms.conf Example
    ms:iis:default auto_kv_for_iis_default [auto_kv_for_iis_default]

    DELIMS = " "

    FIELDS = date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status https


    ms:iis:default:85 auto_kv_for_iis_default_85 [auto_kv_for_iis_default_85]

    DELIMS = " "

    FIELDS = date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken https

    ms:iis:splunk auto_kv_for_iis_splunk [auto_kv_for_iis_splunk]

    DELIMS = " "

    FIELDS = date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken X-Forwarded-For Content-Type https


  4. Save transforms.conf.
  5. Restart the search head for the configuration to take effect.
Last modified on 21 July, 2021
Configure inputs in the Splunk Add-on for Microsoft IIS   Configure recommended fields in the Splunk Add-on for Microsoft IIS

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters