trying to copy standard IIS field extractions to a new custom sourcetype, however these are not displaying from the indexer cluster. any suggestions? am I missing a transforms in the custom app? looked for any reference of iis in the transforms.conf located in system/default, but could not find any reference.
props.conf (custom app1)
[emea_qa_iis_logs]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=w3c
MAX_TIMESTAMP_LOOKAHEAD=32
SHOULD_LINEMERGE=false
category=Web
description=W3C Extended log format produced by the Microsoft Internet Information Services (IIS) web server
detect_trailing_nulls=auto
disabled=false
pulldown_type=true
TZ=GMT
LINE_BREAKER=([\r\n]+)
props.conf (system/default)
[iis]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=w3c
MAX_TIMESTAMP_LOOKAHEAD=32
SHOULD_LINEMERGE=false
category=Web
description=W3C Extended log format produced by the Microsoft Internet Information Services (IIS) web server
detect_trailing_nulls=auto
disabled=false
pulldown_type=true
LINE_BREAKER=([\r\n]+)
↧