Skip to content

Troubleshoot the Splunk Add-on for Microsoft IIS

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

When should I use different source types?

  • Use ms:iis:default:85 if you have multiple MS IIS versions or versions 8.5 and greater. This enables you to differentiate the data of multiple MS IIS versions.
  • Use ms:iis:splunk if you enable the Splunk recommended fields, as that will enrich your IIS log data’s CIM mapping to Web data model which you can use to build your dashboards.

The “url” field has “http://” scheme even when the requests are made via HTTPS.

Enable the HTTPS Server variable and update the transform corresponding to the source type for this issue. Name this custom field as “https” ONLY. You’ll receive the correct url that you input.

The “url” field mapped to Web data model isn’t extracting.

Make sure the fields https, cs-host, s-ip, s-port, cs-uri-stem, cs-uri-query are enabled in MS IIS. If search-time extraction is used, its expected field extraction is mentioned in \$SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis/local/transforms.conf. If index-time extraction is used, make sure the log file is rolled over with the new headers.

I can’t launch the add-on!

This add-on does not have views and is not intended to be visible in Splunk Web. If you are trying to launch or load views for this add-on and you are experiencing results you do not expect, turn off visibility for the add-on.

For more details about add-on visibility and instructions for turning visibility off, see Troubleshoot add-ons in Splunk Add-ons.

Index Time extractions are not working correctly in ms:iis:auto sourcetype after changing log format on MS IIS side. Multiple #Fields: headers appear within the same log file.

Microsoft IIS log files follow the W3C format. However, if multiple #Fields: headers with different fields appear within the same log file, index-time extraction fails. This occurs when the header fields changes on the MS IIS side, disrupting the extraction process.

Since Splunk does not support dynamic headers within the same file, the issue must be addressed at the MS IIS end.

To narrow down the impact of multiple #Fields: headers with different fields in a single file, switch the log rotation to hourly to reduce the likelihood of this issue:

  1. In the Internet Information Services (IIS) Manager, go to Logging tab.
  2. In the Log File Rollover section, set the schedule to hourly.

This configuration creates a new log file every hour and the issue does not occur when monitoring the new log file.