Splunk® Supported Add-ons

Splunk Add-on for Microsoft IIS

Source types for the Splunk Add-on for Microsoft IIS

The Splunk Add-on for Microsoft IIS provides the index-time and search-time knowledge for Microsoft IIS Web site activity data in the following formats.

Determine which source type to use based on the field extraction method you plan to use. Use either search-time field extraction or index-time field extraction, but not both. Using both field extraction methods on the same data source will produce redundant indexed events.

Source type Description CIM data models
ms:iis:splunk Microsoft IIS log files in W3C format. Use this source type to enable search-time field extraction. The field list contains Splunk recommended MS IIS fields to enrich CIM mapping. Web
ms:iis:default:85 Microsoft IIS log files in W3C format. Use this source type to enable search-time field extraction. Recommended source type for IIS log files for MS IIS 8.5 and higher. Web
ms:iis:default Microsoft IIS log files in W3C format. Use this source type to enable search-time field extraction. Web
ms:iis:auto Microsoft IIS log files in W3C format. Use this source type to enable automatic index-time field extraction. Web
ms:iis:webglobalmodule Use this source type to list the global modules present in all the IIS servers in the cluster, which can be used to observe any anomaly among the modules.

Index-time field extraction relies on Splunk platform's built-in capability to recognize and process the W3C log format regardless of which fields are logged by IIS and in what order. It requires no additional configuration. Index-time field extraction requires more storage space than search-time field extraction.

Search-time field extraction requires additional configurations in transforms.conf to match your log format. For configuration instructions, see Configure field transformations for the Splunk Add-on for Microsoft IIS.

Last modified on 05 January, 2024
Lookups for the Splunk Add-on for Microsoft IIS   Release notes for the Splunk Add-on for Microsoft IIS

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters