Splunk Search
Highlighted

Would like to report on a value within a field extraction

Path Finder

I am looking to run a report based on the response time value in an iis logfile. The value is always the final entry in the event. I was able to create a field extraction to grab a consistent set of the data from each event, but not ONLY the response time. My existing field extraction grabs something like this out of each event:
.com 200 0 0 540020 594 109

For clarity, I'm looking to report on the last value in each field extraction, regardless of what the other values in the field are. I need to do this at search time.

Any ideas?

Highlighted

Re: Would like to report on a value within a field extraction

Splunk Employee
Splunk Employee

I'm not certain I understand correctly, but have you tried something like the following RegEx:

(\S+)$

This should allow you to grab all the last characters in a whitespace-separated string of values.

View solution in original post

Highlighted

Re: Would like to report on a value within a field extraction

Path Finder

I'm a newbie in my search syntax skills, so how would that translate in a search? something like:
search terms | rex field= (\S+)

0 Karma
Highlighted

Re: Would like to report on a value within a field extraction

Splunk Employee
Splunk Employee

Almost! It would be like this -- and it will create a new field from the RegEx: ... | rex field=myfield "(?\S+)$"

0 Karma