I have to disagree on defining field extraction at index time. Yes, define your field extractions in props.conf - that is correct, and it is actually at search time.
As stefano points out, having the field extractions defined will simplify your search dramatically. It will also make it easier to create reports and other items.
There is a built-in sourcetype named iis - if you use it, you might get the field extractions without needing to do anything at all. IIS sometimes shows up as iis-2 or iis-3 , etc. So if you still need to add field extractions to props.conf , you can use the following stanza header and your field extractions will apply to all of the IIS variants:
[(?:::){0}iis*]
# your field extractions here
EXTRACT-e1=(?<year>\d{4})-(?<month>\d{1,2})-(?<date>\d{1,2}) (?<hours>\d{1,2}):(?<minutes>\d{1,2}):(?<seconds>\d{1,2}) (?<server_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<request_method>\w{3,4}) (?<uri>\S*) (?<query_string>.*) (?<server_port>\d{2,5}) - (?<remote_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<user_agent>.*) (?<http_status_code>\d{3}) (?<http_sub_status_code>\d{1,3}) (?<time_taken>\d{1,10}) (?<num_bytes>\d{1,10})$
Also, I would propose this search
earliest_time=-15m sourcetype="iis*" AND
(host="xxxx-vmweb-p04" OR host="xxxx-vmweb-p05" OR host="xxxx-vmweb-p06" OR host="xxxx-vmweb-p07" OR host="xxxx-vmweb-p08") AND
( [search index="CLIENT_AAA__deploy_arch" | table uri ] )
| stats count as numErrors by http_status_code site_id uri query_string
| sort -numErrors
This combines the subsearch into the initial search, which will be faster. But the subsearch over the CLIENT_AAA__deploy_arch index is running over all time. Perhaps you should include an earliest= parameter in the subsearch as well?
... View more