Thanks for your tip @yeahnah on manually loading a file into the index and see what it does. This got me started on figuring this out. Did the following: I imported a simple CSV using sourcetype=testsourcetype, index=windows_iis - the result was the data got ingested successfully into the index and i could search on it successfully. I imported a second CSV using sourcetype=ms:iis:auto, index=windows_iis - the result was that as soon as I typed ms:iis:auto into the sourcetype filter and selected this sourcetype, the preview of the data went all weird - kept just the date/time and lost the rest of the data for each event. I imported a third CSV using sourcetype=ms:iis:default:85, index=windows_iis - the result was that the data was ingested successfully into the index and I could search on it successfully. Not sure what is actually happening when i use sourcetype=ms:iis:auto and why it doesn't work, however I've changed my deployment to use sourcetype=ms:iis:default:85 (which is probably a more appropriate selection anyhow, based on my IIS version). Thanks for your help. 🙂
... View more