We are trying to build an alert based on the 'time-taken' IIS field;
the query we have is:
sourcetype=iis_logs host="hostname" AND "POST /request/request" | rex "(?
the restuls being returned include the entire IIS Log line:
2014-03-23 13:11:12 10.250.80.250 POST /request/request - 4301 Customer 10.250.80.11 - 200 0 0 951
What we'd like is to have the query returns the results as follows:
Host , Request URL , Time-taken
Thanks
Assuming the field names exist like this in your search, you can append this
... | table host request_url time_taken
to get your three-column table.