splunk解析IIS日志文件
我正在使用 Splunk 解析来自一些服务器的 IIS 日志文件,所有服务器在 IIS 中都具有相同的字段设置,并且所有服务器都运行相同版本的 Windows 2003 服务器。然而,splunk 将这些日志文件的源类型标记为“iis”或“iis-2”或“iis-3”...即使来自同一服务器。我似乎找不到模式。如何确保 splunk 标记所有日志文件相同类型?
另一个问题是,对于某些日志文件,splunk 会自动提取查询字符串字段中的所有键/值,而对于某些日志文件则不会...我想让 splunk 在索引时解析出查询字符串键/值所以在搜索过程中它会很快。
有人帮忙吗?
谢谢
I am using Splunk to parse IIS logfiles from a few servers, all the servers have same fields setup in IIS and all servers running same version of windows 2003 server. However splunk tag the sourcetype of those logfile to "iis" or "iis-2" or "iis-3"... even from same server. I don't seem to be able to find the pattern. How to make sure splunk tag all logfile same type?
another question is that for some logfiles, splunk automatically extract all the key/value in the querystring fields, while doesn't for some logfiles... I'd like to have splunk to parse out the querystring key/value at the index time so it will be quick during search time.
anyone help?
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
IIS 日志很容易生成,但您需要告诉它日志的格式(因为您可以更改日志格式)。这是给您的一个例子。
在 input.conf ($SPLUNK_HOME\etc\system\local\inputs.conf) 中,添加如下所示的节:
在 props.conf ($SPLUNK_HOME\etc\system\local\props.conf) 中,添加如下所示的节:
最后,我们需要在transforms.conf(位于$SPLUNK_HOME\etc\system\local\transforms.conf)中定义两个变换,如下所示
: mswin_2008r2_iis_fields 取自 IIS 日志文件的顶部。这是(希望很明显)来自 Windows Server 2008 R2 的默认 IIS 日志。位置和格式随着版本的不同而发生变化,而且您可以在每个主机的基础上更改位置和格式。
有关这些配置文件的更多信息,请参阅文档 - 免费提供于 http://docs.splunk.com
IIS logs are very easy to splunk, but you need to tell it what format the logs are in (since you can alter the log format). Here is an example for you.
In inputs.conf ($SPLUNK_HOME\etc\system\local\inputs.conf), add a stanza like this:
In props.conf ($SPLUNK_HOME\etc\system\local\props.conf), add a stanza like this:
Finally, we need to define the two transforms in transforms.conf (which is in $SPLUNK_HOME\etc\system\local\transforms.conf) as follows:
The format of the mswin_2008r2_iis_fields is taken from the top of the IIS log file. This is (hopefully obviously) for the default IIS logs from Windows Server 2008 R2. The location and format have changed from version to version, plus you can alter both the location and format on a per-host basis.
For more information on these configuration files, see the documentation - freely available at http://docs.splunk.com
Splunk将自动识别多种数据源,在Splunk中称为“源类型”,如果您不告诉Splunk要使用哪种特定“源类型”,它将创建一个新的源类型并根据它认为的源类型对其进行命名匹配。
为了防止此功能将可能不同的源类型混在一起,Splunk 将创建一个附加序列号的新源类型。
这就是为什么您会看到“iis-2”“iis-3”等。
您应该在创建新数据输入时选择“iis”源类型(如果它与您的数据匹配),或者为您的数据创建新的“iis-whatever”源类型。
Splunk will auto-recognize many kinds of data sources, called "sourcetypes" in Splunk, and if you don't tell Splunk which specific "sourcetype" to use, it will create a new sourcetype and name it based on which sourcetype it thinks it matches.
To prevent this feature from lumping together sourcetypes that might be different, Splunk will create a new sourctype with a sequential number appended.
That's why you're seeing "iis-2" "iis-3" etc.
You should either choose the "iis" sourcetype when you create your new data inputs, if it matches your data, or create a new "iis-whatever" sourcetype for your data.