Splunk® Supported Add-ons

Splunk Add-on for Microsoft IIS

Troubleshoot the Splunk Add-on for Microsoft IIS

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons.
For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

When should I use different source types?

  • Use ms:iis:default:85 if you have multiple MS IIS versions or versions 8.5 and greater. This enables you to differentiate the data of multiple MS IIS versions.
  • Use ms:iis:splunk if you enable the Splunk recommended fields, as that will enrich your IIS log data's CIM mapping to Web data model which you can use to build your dashboards.

The "url" field has "http://" scheme even when the requests are made via HTTPS.

Enable the HTTPS Server variable and update the transform corresponding to the source type for this issue. Name this custom field as "https" ONLY. You'll receive the correct url that you input.

The "url" field mapped to Web data model isn't extracting.

Make sure the fields https, cs-host, s-ip, s-port, cs-uri-stem, cs-uri-query are enabled in MS IIS. If search-time extraction is used, its expected field extraction is mentioned in $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis/local/transforms.conf. If index-time extraction is used, make sure the log file is rolled over with the new headers.

I can't launch the add-on!

This add-on does not have views and is not intended to be visible in Splunk Web. If you are trying to launch or load views for this add-on and you are experiencing results you do not expect, turn off visibility for the add-on.

For more details about add-on visibility and instructions for turning visibility off, see Troubleshoot add-ons in Splunk Add-ons.

Last modified on 21 July, 2021
Configure recommended fields in the Splunk Add-on for Microsoft IIS   Lookups for the Splunk Add-on for Microsoft IIS

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters