I have updated the IIS module default.json file located at C:\dir\module\iis\access\ingest to include a grok pattern to pick up the new IP address field %{IPORHOST:iis.access.userip}, I tested this in the grok debugger and it parses the IP in to a field called userip.
The log file has now been ingested and is searchable in Kibana, but I can not see the additional field. After looking at a lot of documentation I can see that I likely need to update the index, but my lack of knowledge has made this confusing.
Beyond this, I don't think that just by adding this extra parsing part will be able to work out of the box. Fields are documented and defined so as to apply to the field mappings accordingly. See: https://github.com/elastic/beats/blob/master/filebeat/module/iis/access/_meta/fields.yml. This makes your approach quite hacky :), which is ok but you have to deal with all these internal stuff.
Since you just want this extra field I would suggest you checking script_processor and try to extract the extra field from the original message.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.