https://community.splunk.com/t5/Splunk-Search/Exclude-statusCodes-that-are-Not-Three-Digits/m-p/539221#M152523 <P>I'm trying to pick up the status codes for a given api, 4XX and 5XX.&nbsp; I've typically done this with something like this: (changed the index, source and sourceUrl to be generic)</P><P>index="ralph" source="/var/log/containers/api.log" sourceUrl="/url/api/api_name" (statusCode=4* OR statusCode=\5*)<BR />| timechart span=15m@m usenull=false count(statusCode) by statusCode</P><P>This has worked in the past, but I'm running into a situation for some api's where my search is returning values such as: 4, 40, 41 44, 401, 403, 404, 5, 50, 51, 500, 503, 504, etc.</P><P>My goal is to exclude anything that is NOT three digits (i.e. 4, 40, 41 44, 5, 50, 51) I've tried doing something like: statusCode=40* this excluded everything except 40. I tried statusCode=40\d&nbsp; Thought i'd try, =40? but nothing is working.&nbsp;</P><P>Is there a wildcard combo that would allow me to search where it must contain the 40 and one additional number? So I'd get just 400, 401, 4XX</P><P>I'm not very experienced with regex, but it seems like that might be the path?</P><P>Appreciate your help!<BR />Thanks, rick</P> Tue, 09 Feb 2021 21:03:15 GMT rick4039 2021-02-09T21:03:15Z https://community.splunk.com/t5/Splunk-Search/Exclude-statusCodes-that-are-Not-Three-Digits/m-p/539221#M152523 <P>I'm trying to pick up the status codes for a given api, 4XX and 5XX.&nbsp; I've typically done this with something like this: (changed the index, source and sourceUrl to be generic)</P><P>index="ralph" source="/var/log/containers/api.log" sourceUrl="/url/api/api_name" (statusCode=4* OR statusCode=\5*)<BR />| timechart span=15m@m usenull=false count(statusCode) by statusCode</P><P>This has worked in the past, but I'm running into a situation for some api's where my search is returning values such as: 4, 40, 41 44, 401, 403, 404, 5, 50, 51, 500, 503, 504, etc.</P><P>My goal is to exclude anything that is NOT three digits (i.e. 4, 40, 41 44, 5, 50, 51) I've tried doing something like: statusCode=40* this excluded everything except 40. I tried statusCode=40\d&nbsp; Thought i'd try, =40? but nothing is working.&nbsp;</P><P>Is there a wildcard combo that would allow me to search where it must contain the 40 and one additional number? So I'd get just 400, 401, 4XX</P><P>I'm not very experienced with regex, but it seems like that might be the path?</P><P>Appreciate your help!<BR />Thanks, rick</P> Tue, 09 Feb 2021 21:03:15 GMT https://community.splunk.com/t5/Splunk-Search/Exclude-statusCodes-that-are-Not-Three-Digits/m-p/539221#M152523 rick4039 2021-02-09T21:03:15Z https://community.splunk.com/t5/Splunk-Search/Exclude-statusCodes-that-are-Not-Three-Digits/m-p/539223#M152524 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/217349">@rick4039</a>&nbsp;</P><P>A number of ways to do this, here are two ways</P><P>&nbsp;</P><LI-CODE lang="markup">| where match(statusCode, "^[45][01]\d$") | regex statusCode="^[45][01]\d$"</LI-CODE><P>&nbsp;</P><P>&nbsp;use this after the initial search. It allows for the middle digit to be a 0 or 1, but you can change that as needed. The 3rd digit can be any number.</P> Tue, 09 Feb 2021 21:25:58 GMT https://community.splunk.com/t5/Splunk-Search/Exclude-statusCodes-that-are-Not-Three-Digits/m-p/539223#M152524 bowesmana 2021-02-09T21:25:58Z https://community.splunk.com/t5/Splunk-Search/Exclude-statusCodes-that-are-Not-Three-Digits/m-p/539363#M152546 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>Thanks!!</P><P>I've tried using both in my query but was having a bit of trouble.&nbsp; I'm continuing to edit my query with your recommendations to get it to work.&nbsp; Your recommendation on using the |where command turned me on to using it with greater than, less than.&nbsp;</P><P>| where statusCode&gt;=400 AND statusCode&lt;499</P><P>This solved my immediate need and gave me a good example on using regex in my queries.</P><P>Thanks!!</P> Wed, 10 Feb 2021 21:31:14 GMT https://community.splunk.com/t5/Splunk-Search/Exclude-statusCodes-that-are-Not-Three-Digits/m-p/539363#M152546 rick4039 2021-02-10T21:31:14Z