Splunk® Supported Add-ons

Splunk Add-on for Microsoft IIS

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Configure inputs in the Splunk Add-on for Microsoft IIS

Configure directory monitoring inputs on your data collection node for Microsoft IIS logs. Your forwarders must be installed directly on your Microsoft IIS servers or have the Microsoft IIS log files copied or shared to them from the Microsoft IIS servers. You can configure inputs directly on your forwarders or you can configure inputs on a deployment server and push them to your forwarders.

Configure inputs using Splunk Web

  1. Log in to Splunk Web.
  2. Click Settings > Data inputs.
  3. Click Files & directories.
  4. Click New.
  5. In the File or Directory field, specify the path to the Microsoft IIS standard log directory (default: %SystemDrive%\inetpub\logs\LogFiles) or advanced log directory (default: %SystemDrive%\inetpub\logs\AdvancedLogs), then click Next.
  6. In the Sourcetype field, enter the Microsoft IIS source type that matches the field extraction you plan to use.
    • ms:iis:auto enables automatic index-time field extraction. Supports Splunk recommended MS IIS fields if enabled.
    • ms:iis:default enables search-time field extraction.
    • ms:iis:default:85 enables search-time field extraction. Preferable for MS IIS version 8.5 and greater.
    • ms:iis:splunk enables search-time field extraction for Splunk recommended fields MS IIS.
  7. Click Review and review the information.
  8. If all the information is correct, click Submit.

Next step
Configure the log format to allow extractions using the ms:iis:default, ms:iis:default:85 or ms:iis:splunk sourcetype. See Configure field transformations for the Splunk Add-on for Microsoft IIS.

Configure inputs using the configuration files

  1. Create $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis/local/inputs.conf.
  2. Depending on the IIS source type and field extraction method you want to use, add one of the following stanzas, replacing the default IIS log directory path name with the actual value in your environment and the value for index where you want to collect data into.
    Index-time field extraction:
    disabled = false
    sourcetype = ms:iis:auto
    index = <preferred index>

    Search-time field extraction:

    disabled = false
    sourcetype = [ ms:iis:default | ms:iis:default:85 | ms:iis:splunk ]
    index = <preferred index>

  3. Save the file.
  4. Restart the Splunk platform for the new inputs to take effect.
Last modified on 21 July, 2021
Install the Splunk Add-on for Microsoft IIS
Configure field transformations in the Splunk Add-on for Microsoft IIS

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters