Data looks like this
# grep 28969 request.log
22/Jul/2016:15:09:54 +0200 [28969] -> GET /libs/granite/csrf/token.json HTTP/1.1
22/Jul/2016:15:09:54 +0200 [28969] <- 200 application/json 4ms
[xxxxxx]
is the common (field extracted as RequestID)
lines where -> GET
exist, I want to return the URL (field extracted as URL)
lines where <- [0-9][0-9][0-9]
is present, I want to return just the final field (4ms) as RequestTime
Result should look like
28969 /libs/granite/csrf/token.json 4ms
Or this
... | rex "GET\s(?<URL>[^\s]+)" | rex "(?<RequestTime>\w+)$" | stats values(URL) as URL values(RequestTime) as RequestTime by RequestID
Try like this
your base search | rex "\]\s(-\>\s+GET+\s(?<URL>[^\s]+)" | rex "\]\s(-\>\s+([0]{3})+\s([^\s]+)(?<RequestTime>\w+)" | stats values(URL) as URL values(RequestTime) as RequestTime by RequestID