Skip to content

Source types for the Splunk Add-on for Microsoft IIS

The Splunk Add-on for Microsoft IIS provides the index-time and search-time knowledge for Microsoft IIS Web site activity data in the following formats.

Determine which source type to use based on the field extraction method you plan to use. Use either search-time field extraction or index-time field extraction, but not both. Using both field extraction methods on the same data source will produce redundant indexed events.

Source type Description CIM data models
ms:iis:splunk (deprecated) - Microsoft IIS log files in W3C format. Use this source type to enable search-time field extraction. The field list contains Splunk recommended MS IIS fields to enrich CIM mapping. Web
ms:iis:default:85 (deprecated) - Microsoft IIS log files in W3C format. Use this source type to enable search-time field extraction. Recommended source type for IIS log files for MS IIS 8.5 and higher. Web
ms:iis:default (deprecated) - Microsoft IIS log files in W3C format. Use this source type to enable search-time field extraction. Web
ms:iis:auto (recommended) - Microsoft IIS log files in W3C format. Use this source type to enable automatic index-time field extraction. Web
ms:iis:webglobalmodule Use this source type to list the global modules present in all the IIS servers in the cluster, which can be used to observe any anomaly among the modules.

The advantage of ms:iis:auto sourcetype is that it uses index-time field extraction, relying on Splunk platform’s built-in capability to recognize and process the W3C log format, regardless of the fields and their order logged by IIS. It does not require any additional Splunk configuration. However, the index-time field extraction requires more storage space than search-time field extraction.

Additionally, an issue might occur with index-time field extraction, when a log file contains multiple #Fields: headers within the same file. For more information on how to resolve the issue, see Troubleshooting.

Search-time field extraction requires additional configurations in transforms.conf to match your log format. For configuration instructions, see Configure field transformations for the Splunk Add-on for Microsoft IIS.