Splunk Search

Use Regex to extract time-take field from IIS logs

hagjos43
Contributor

I'm a noob to regex. I'm trying to extract the time-taken field from our IIS logs (this is the very last entry in the IIS log) Below is a sample of an entry in our IIS logs:

2014-04-09 12:33:43 W3SVC212014703889 HostName-GoesHere 192.168.1.1 POST /NET/forms/action.cfm - 80 - 10.10.10.10 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+.NET4.0C;+.NET4.0E) __utma=0160643.09453435.371030337.371123455.371206007.3;+CFID=0934024;+CFTOKEN=4326922;+LastMRH_Session=f343018;+F5_ST=1,1,1,397046727,04800;+JSESSIONID=430d83085f0220a92cb5b1184b305a2d501;+TS8ada1b=5a642dc1bf90ac67c6b2aa83fa05b09abbd49a527d4ef10353453dc660ac0ec5504bf0e2 https://www.stuff.com/NET/forms/action.cfm www.stuff.com 302 0 0 426 1197 31

The value I want to extract to a field called "time-taken" is the number 31 above, the very last entry in the log file. And for IIS logging purposes there is always a space before it, and it is always the last entry in the log.

Many thanks!

Tags (3)
0 Karma
1 Solution

lukejadamec
Super Champion

Try:
your search |rex ".*\s(?P<TimeTaken>\d+)$" |table TimeTaken

View solution in original post

lukejadamec
Super Champion

Try:
your search |rex ".*\s(?P<TimeTaken>\d+)$" |table TimeTaken

hagjos43
Contributor

PERFECT! THANK YOU!

0 Karma

lukejadamec
Super Champion

You can also use the automated field extracter for this.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...