Refine your search:

extracting time-taken field from IIS logs

0

We need to start alerting on the results of the IIS time taken field. Any idea how to extract that field so it can be easily searched? I am hasving no luck at all.

example output

2012-04-25 21:23:31 ::1 POST /PU.PDS.ExternalServices/SolutionExecution/ExternalSolutionExecution.svc - 80 - ::1 - 200 0 0 11734

I need to sertup an alert on the last field output "11734" when it gets over 10000.

Thanks!

Ed

asked 26 Apr '12, 10:55

ebailey's gravatar image

ebailey
212
accept rate: 0%

One Answer:
oldestnewestmost voted
1

Try to see if adding this in your search works.

sourcetype=iis_logs| rex "(?<time_taken>w*)$"

See if the field time_taken is matching the last digits correctly. Then create an alert and make it alert if time_taken > 10000

link

answered 26 Apr '12, 13:38

roumys's gravatar image

roumys
112
accept rate: 0%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×531
×258
×78
×59

Asked: 26 Apr '12, 10:55

Seen: 1,032 times

Last updated: 26 Apr '12, 13:38

Related questions

IIS logs and timezone

IIS Logs & WebIntelligence

How to extract fields from IIS default log file format (W3C Extended Logs) with Splunk

Indexing and extracting fields from IIS 7.5 logs

IIS 6.0 logs (W3C Extended) columns names are shifted one position from the data due to "#Fields: "

GMT IIS logs won't display real-time

Timezone adjustment for IIS logs not working

IIS Status Field

Time zone not working for iis logs

Copyright © 2005-2012 Splunk Inc. All rights reserved.