I am observing intermittent issues parsing IIS data.  Splunk is configured for index time parsing of IIS events on the universal forwarders (INDEXED_EXCTRACTIONS).  The extraction works fine for most events, but a small percentage (less than 1%) fail parsing.

I am detecting the events that fail parsing with the following SPL
index=[IIS INDEXES] sourcetype=iis NOT c_ip=*

I have noticed an error in the splunkd.log on the universal forwarders that accounts for some of these issues.
04-06-2022 20:08:42.602 -0500 WARN CsvLineBreaker - Parser warning: Encountered unescaped quotation mark in field while parsing. This may cause inaccurate field extractions or corrupt/merged events. - data_source="e:\iis-logs\W3SVC1\u_ex220407.log", data_host="XXXXX", data_sourcetype="iis"
In these cases, it appears that not only does index time field parsing fail but event breaking fails resulting many events getting lumped into a single event.  This may not be avoidable and we’re at least able to point to a cause for these issues but many more are unexplained.

For most of the events that fail parsing the result is a single line event which appears to be formatted correctly but has no indexed fields.  I was originally having an issue with these events reporting in the future as well but adding a time zone to props.conf seems to have at least resolved that issue.

I have upgraded through several versions (8.1.2, 8.2.3, 8.2.7.1) on the Universal forwarders and have seen this issue across all these versions.

If you have and ideas on what might be causing failures in index time parsing issues for IIS data I would love to hear them.