If I am correct in assuming the number in bold is the response time, you an extract it via the search like this:
YOUR BASE SEARCH
| rex field=_raw "\d{3} - (?<responsetime>\d+) \""
You can also use the field extractor in Splunk to do this pretty easily by choosing a sample event and highlighting the value. The field extractor will generate the regex for you, though in some cases you may need to edit that and tweak it. In this case, I think Splunk would probably do a good job at grabbing the correct value. With this method you will always get the field at search time without having to extract it in your searches.
If you did want to tweak the regex, or write it yourself, a great tool to use is www.regex101.com to build those regular expressions.
Fyi, the leading .* is almost always assumed with Splunk regex
Point taken. =D
via rex (in your search)
...| rex "\d{3}\s+-\s+(?<ms>\d+)"
via props.conf (in search app - may require restart)
[sourcetypeName]
EXTRACT-ms = \d{3}\s+-\s+(?<ms>\d+)
This works at search time. You could adapt it for use at index time.
... | rex "\] \".*?\" \d+ - (?<responseTime>\d+)" | ...
you can use the field extractor:
http://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/ExtractfieldsinteractivelywithIFX