Forums: SplunkGeneral: Mysterious IIS-2 sourcetype

Previous Topic: Splunk web through Cisco Clientless SSL VPN not working...anybody have this working?  |   Next Topic: how to monitor directory


Posts 1–5 of 5  |  Post to this topic
1
msallman's Mugshot posted by: msallman  |  posts
date: February 24, 2010
permalink

Since upgrading to 4.0.9, Splunk seems to have decided that I need an IIS-2 sourcetype (created in /etc/apps/learned/local/props.conf as best I can tell).
Is there a way to get rid of this? I tried deleting the stanza from props.conf (and an apparently associated one in transforms.conf), but Splunk keeps re-creating it/them.
I already have an IIS sourcetype, so when Splunk decides to use IIS-2 instead, it messes up my searches/reports.

Thanks

2
araitz's Mugshot posted by: araitz  |  posts
date: February 24, 2010
permalink

Agree, there are some opportunities for improvement with the automatic sourcetyper. The best practice is to manually set the sourcetype in inputs.conf whenever possible.

3
msallman's Mugshot posted by: msallman  |  posts
date: February 25, 2010
permalink

I do have it in inputs.conf:

[monitor://\\iis_server\LogFiles\W3SVC1]
disabled = 0
host = iis_server
sourcetype = IIS

And it worked fine until 4.0.9.

4
bnwri's Mugshot posted by: bnwri  |  posts
date: March 16, 2010
permalink

I've got the same problem. Even specifying the sourcetype in inputs.conf doesn't have an effect. As it is I'm working on using the "rename = iis" key/value pair in my props.conf to manually rename the sourcetype, but it would sure be nice if this worked out of the box.

5
danieljimenez's Mugshot posted by: danieljimenez  |  posts
date: April 6, 2010
permalink

Seeing the same issue here. Any way to change the sourcetype of existing data?

Post to this topic

You must be logged in to post a reply.