Troubleshoot the Splunk Add-on for Microsoft IIS
When should I use different source types?
ms:iis:default:85if you have multiple MS IIS versions or versions 8.5 and greater. This enables you to differentiate the data of multiple MS IIS versions.
ms:iis:splunkif you enable the Splunk recommended fields, as that will enrich your IIS log data's CIM mapping to Web data model which you can use to build your dashboards.
The "url" field has "http://" scheme even when the requests are made via HTTPS.
Enable the HTTPS Server variable and update the transform corresponding to the source type for this issue. Name this custom field as "https" ONLY. You'll receive the correct url that you input.
The "url" field mapped to Web data model isn't extracting.
Make sure the fields https, cs-host, s-ip, s-port, cs-uri-stem, cs-uri-query are enabled in MS IIS. If search-time extraction is used, its expected field extraction is mentioned in $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis/local/transforms.conf. If index-time extraction is used, make sure the log file is rolled over with the new headers.
I can't launch the add-on!
This add-on does not have views and is not intended to be visible in Splunk Web. If you are trying to launch or load views for this add-on and you are experiencing results you do not expect, turn off visibility for the add-on.
For more details about add-on visibility and instructions for turning visibility off, see Troubleshoot add-ons in Splunk Add-ons.
Configure recommended fields in the Splunk Add-on for Microsoft IIS
Lookups for the Splunk Add-on for Microsoft IIS
This documentation applies to the following versions of Splunk® Supported Add-ons: released