I have a Splunk Search head that gets data from a Splunk Server that is indexing IIS logs. When I Query on the Indexing Server, SPlunk Autodiscovers the IIS headers which allows me to query using those headers.
Example: index=iis sc_status="404".
However, the fields aren't autodiscovered on the search head, so the same query doesn't return any results. Does anyone know how to populate the autodiscovered IIS fields on a search head?
asked 02 May '11, 06:40
By default Splunk applies a property called
There are a few things that would disable this:
answered 02 May '11, 09:45