I am looking to run a report based on the response time value in an iis logfile. The value is always the final entry in the event. I was able to create a field extraction to grab a consistent set of the data from each event, but not ONLY the response time. My existing field extraction grabs something like this out of each event:
.com 200 0 0 540020 594 109
For clarity, I'm looking to report on the last value in each field extraction, regardless of what the other values in the field are. I need to do this at search time.
I'm not certain I understand correctly, but have you tried something like the following RegEx:
This should allow you to grab all the last characters in a whitespace-separated string of values.
I'm a newbie in my search syntax skills, so how would that translate in a search? something like:
search terms | rex field=
Almost! It would be like this -- and it will create a new field from the RegEx: ... | rex field=myfield "(?