https://community.splunk.com/t5/Splunk-Search/How-to-filter-IIS-logs-with-regular-expression/m-p/541579#M153339 <P>When you say "filter out" do you mean you wish to use a regular expression to extract the sc-status and time-taken fields?</P><P>If so, try this:</P><LI-CODE lang="markup">... | rex "(?:\S+\s){16}(?&lt;status&gt;\d+)\s(?:\S+\s){4}(?&lt;time_taken&gt;\d+)"</LI-CODE> Fri, 26 Feb 2021 20:32:39 GMT richgalloway 2021-02-26T20:32:39Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-IIS-logs-with-regular-expression/m-p/541565#M153333 <P>i do like to filter out Status code and Time Taken and other as fields</P><P>#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken</P><P>2021-02-20 06:56:41 W3SVC1 XXX 100.x.x.x HEAD / - 9004 - 10.x.x.x HTTP/1.1 - - - <A href="http://www.google.com:80" target="_blank" rel="noopener">www.google.com:80</A> 403 14 0 181 70 46</P><P>here status code is 403 and time-taken 46</P><P>Thanks in Advance</P><P>&nbsp;</P> Fri, 26 Feb 2021 18:12:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-IIS-logs-with-regular-expression/m-p/541565#M153333 sachdeva_2007 2021-02-26T18:12:47Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-IIS-logs-with-regular-expression/m-p/541579#M153339 <P>When you say "filter out" do you mean you wish to use a regular expression to extract the sc-status and time-taken fields?</P><P>If so, try this:</P><LI-CODE lang="markup">... | rex "(?:\S+\s){16}(?&lt;status&gt;\d+)\s(?:\S+\s){4}(?&lt;time_taken&gt;\d+)"</LI-CODE> Fri, 26 Feb 2021 20:32:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-IIS-logs-with-regular-expression/m-p/541579#M153339 richgalloway 2021-02-26T20:32:39Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-IIS-logs-with-regular-expression/m-p/541727#M153381 <P>Thanks.</P><P>Got the header of fields of the logs as follow but what would the query to pull status code and order by Client wise.</P><P>also in the interesting fields status and time-taken not showing.</P><P>is this the site of "<A href="https://www.debuggex.com/cheatsheet/regex/pcre" target="_blank" rel="noopener">https://www.debuggex.com/cheatsheet/regex/pcre</A>"</P><P>&nbsp;</P><P>1 3/1/21<BR />3:00:01.000 AM</P><P>&nbsp;</P><P>#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken<BR />host = XXXXX<BR />source = E:\acbsapi\Logs\wlUat\IIS\Site_wlUat\W3SVC1\u_ex210301.log<BR />sourcetype = XXX</P><P>2 3/1/21<BR />3:00:01.000 AM</P><P>&nbsp;</P><P>#Date: 2021-03-01 00:00:01<BR />host = XXX<BR />source = E:\acbsapi\Logs\wlUat\IIS\Site_wlUat\W3SVC1\u_ex210301.log<BR />sourcetype =XXX</P><P>3 3/1/21<BR />2:00:03.000 AM</P><P>&nbsp;</P><P>#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken<BR />host = XXX<BR />source = E:\acbsapi\Logs\wlUat\IIS\Site_wlUat\W3SVC1\u_ex210301.log<BR />sourcetype = XXX</P><P>4 3/1/21<BR />2:00:03.000 AM</P><P>&nbsp;</P><P>#Date: 2021-03-01 00:00:03<BR />host = XXX<BR />source = E:\acbsapi\Logs\wlUat\IIS\Site_wlUat\W3SVC1\u_ex210301.log<BR />sourcetype = XXX</P><P>5 2/28/21<BR />10:49:06.000 PM</P><P>&nbsp;</P><P>2021-02-28 20:49:06 W3SVC1 XXX 100.72.153.196 GET /Portfolio/02/Loan/920029607/LoanTransaction absolutePosition=0&amp;startDate=2021-02-26T00:00:00 9004 sa_esb_acbs_qa 100.72.210.0 HTTP/1.1 Apache-HttpClient/4.0.1+(java+1.5) - - acbs-api-uat-fhb.fisglobal.com 200 0 0 453 2159 143<BR />host = XXX<BR />source = E:\acbsapi\Logs\wlUat\IIS\Site_wlUat\W3SVC1\u_ex210228.log<BR />sourcetype = XXX</P> Mon, 01 Mar 2021 10:11:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-IIS-logs-with-regular-expression/m-p/541727#M153381 sachdeva_2007 2021-03-01T10:11:22Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-IIS-logs-with-regular-expression/m-p/541751#M153390 <P>Saw the interesting fields with Status and time_taken. i was looking for query Client wise Hits and Average response time(time_taken)</P><P>Thanks in Advance.</P><P>&nbsp;</P> Mon, 01 Mar 2021 13:50:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-IIS-logs-with-regular-expression/m-p/541751#M153390 sachdeva_2007 2021-03-01T13:50:17Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-IIS-logs-with-regular-expression/m-p/541804#M153422 <P>What have you tried so far?</P> Mon, 01 Mar 2021 15:49:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-IIS-logs-with-regular-expression/m-p/541804#M153422 richgalloway 2021-03-01T15:49:20Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-IIS-logs-with-regular-expression/m-p/541815#M153429 <P>use these fields extract</P><P>index=xx_api | rex "^(?P&lt;Date&gt;[^ ]+)(?:[^\-\n]*\-){5}\s+(?P&lt;Host_Name&gt;[^ ]+)\s+(?P&lt;Status&gt;\d+)\s+(\d+\s+)+(?P&lt;Time_Taken&gt;.+)" | search Status=200</P><P>how can pull the report with</P><P>-Total Hits,&nbsp;</P><P>-avgerage(time-taken)</P><DIV>order by Client Wise</DIV><DIV>&nbsp;</DIV><DIV>Regards</DIV><DIV>&nbsp;</DIV> Mon, 01 Mar 2021 16:41:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-IIS-logs-with-regular-expression/m-p/541815#M153429 sachdeva_2007 2021-03-01T16:41:55Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-IIS-logs-with-regular-expression/m-p/542175#M153575 <P>Used below command and got the result but when i run second command not getting any result can you please suggest on this</P><P>* index=xxx sc_status=201</P><P>*index=xxx sc_status=201 AND sc_status=200</P><P>&nbsp;</P><P>any help highly appreciated.</P><P>&nbsp;</P> Wed, 03 Mar 2021 14:35:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-IIS-logs-with-regular-expression/m-p/542175#M153575 sachdeva_2007 2021-03-03T14:35:47Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-IIS-logs-with-regular-expression/m-p/542188#M153579 <P>The second query fails because it is not possible for the sc_status field to be both 200 and 201 at the same time.&nbsp; Perhaps you want&nbsp;<SPAN><FONT face="courier new,courier">index=xxx (sc_status=201 OR sc_status=200)</FONT>?</SPAN></P> Wed, 03 Mar 2021 15:35:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-IIS-logs-with-regular-expression/m-p/542188#M153579 richgalloway 2021-03-03T15:35:36Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-IIS-logs-with-regular-expression/m-p/542189#M153580 <P>&nbsp;</P><P>Try this.&nbsp;&nbsp;</P><LI-CODE lang="markup">index=xx_api | rex "^(?P&lt;Date&gt;[^ ]+)(?:[^\-\n]*\-){5}\s+(?P&lt;Host_Name&gt;[^ ]+)\s+(?P&lt;Status&gt;\d+)\s+(\d+\s+)+(?P&lt;Time_Taken&gt;.+)" | search Status=200 | stats count as "Total Hits", avg(Time_Taken) as Avg_Time_Taken by Host_Name</LI-CODE><P>&nbsp;</P> Wed, 03 Mar 2021 15:40:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-IIS-logs-with-regular-expression/m-p/542189#M153580 richgalloway 2021-03-03T15:40:11Z