Splunk® Supported Add-ons

Splunk Add-on for Microsoft IIS

Download manual as PDF

Download topic as PDF

Configure inputs for the Splunk Add-on for Microsoft IIS

Configure directory monitoring inputs on your data collection node for Microsoft IIS logs. Your forwarders must be installed directly on your Microsoft IIS servers or have the Microsoft IIS log files copied or shared to them from the Microsoft IIS servers. You can configure inputs directly on your forwarders or you can configure inputs on a deployment server and push them to your forwarders.

Configure inputs using Splunk Web

  1. Log in to Splunk Web.
  2. Click Settings > Data inputs.
  3. Click Files & directories.
  4. Click New.
  5. In the File or Directory field, specify the path to the Microsoft IIS standard log directory (default: %SystemDrive%\inetpub\logs\LogFiles) or advanced log directory (default: %SystemDrive%\inetpub\logs\AdvancedLogs), then click Next.
  6. In the Sourcetype field, enter the Microsoft IIS source type that matches the field extraction you plan to use.
    • ms:iis:auto enables automatic index-time field extraction.
    • ms:iis:default enables search-time field extraction.
  7. Click Review and review the information.
  8. If all the information is correct, click Submit.

Next step
Configure the log format to allow extractions using the ms:iis:default sourcetype. See Configure field transformations for the Splunk Add-on for Microsoft IIS.

Configure inputs using the configuration files

  1. Create $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis/local/inputs.conf.
  2. Depending on the IIS source type and field extraction method you want to use, add one of the following stanzas, replacing the default IIS log directory path name with the actual value in your environment.
    Index-time field extraction:
    [monitor://C:\inetpub\logs\LogFiles]
    disabled = false
    sourcetype = ms:iis:auto
    

    Search-time field extraction:

    [monitor://C:\inetpub\logs\LogFiles]
    disabled = false
    sourcetype = ms:iis:default
    
  3. Save the file.
  4. Restart the Splunk platform for the new inputs to take effect.

Next step
Configure the log format to allow extractions using the ms:iis:default sourcetype. See Configure field transformations for the Splunk Add-on for Microsoft IIS.

PREVIOUS
Install the Splunk Add-on for Microsoft IIS
  NEXT
Configure field transformations for the Splunk Add-on for Microsoft IIS

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Comments

Hi Ben, Thanks for your feedback. The INDEXED_EXTRACTIONS = w3c setting is already included in props.conf for the ms:iis:auto sourcetype, so no additional configurations needed. Besides, the add-on must be installed on the indexer as well if uf is used to collect data. See http://docs.splunk.com/Documentation/AddOns/raeleased/MSIIS/Install.

Hunters splunk, Splunker
February 3, 2017

When deploying inputs to a Universal Forwarder, it is also necessary to deploy a props.conf to set up indexed extractions.

Bnorthway splunk, Splunker
January 24, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters