Splunk Search

Would like to report on a value within a field extraction

cpenkert
Path Finder

I am looking to run a report based on the response time value in an iis logfile. The value is always the final entry in the event. I was able to create a field extraction to grab a consistent set of the data from each event, but not ONLY the response time. My existing field extraction grabs something like this out of each event:
.com 200 0 0 540020 594 109

For clarity, I'm looking to report on the last value in each field extraction, regardless of what the other values in the field are. I need to do this at search time.

Any ideas?

1 Solution

Ron_Naken
Splunk Employee
Splunk Employee

I'm not certain I understand correctly, but have you tried something like the following RegEx:

(\S+)$

This should allow you to grab all the last characters in a whitespace-separated string of values.

View solution in original post

Ron_Naken
Splunk Employee
Splunk Employee

I'm not certain I understand correctly, but have you tried something like the following RegEx:

(\S+)$

This should allow you to grab all the last characters in a whitespace-separated string of values.

Ron_Naken
Splunk Employee
Splunk Employee

Almost! It would be like this -- and it will create a new field from the RegEx: ... | rex field=myfield "(?\S+)$"

0 Karma

cpenkert
Path Finder

I'm a newbie in my search syntax skills, so how would that translate in a search? something like:
search terms | rex field= (\S+)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...