Splunk Search

How to extract time-taken from IIS logs

yennaciri
New Member

We are trying to build an alert based on the 'time-taken' IIS field;
the query we have is:
sourcetype=iis_logs host="hostname" AND "POST /request/request" | rex "(?w*)$"

the restuls being returned include the entire IIS Log line:

2014-03-23 13:11:12 10.250.80.250 POST /request/request - 4301 Customer 10.250.80.11 - 200 0 0 951

What we'd like is to have the query returns the results as follows:
Host , Request URL , Time-taken

Thanks

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Assuming the field names exist like this in your search, you can append this

... | table host request_url time_taken

to get your three-column table.

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Hi Splunky people! We are excited to share the newest updates in Splunk Enterprise 9.3!Admins and Analyst can ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...