https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-chart-count-search-returning-HTTP-codes-to/m-p/188464#M54303 <P>Thre is more than one way as in Perl <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <PRE><CODE>source="/export/home/gpiadmin/logs/access_log" NOT (" 200 Bytes" OR" 301 Bytes" OR" 302 Bytes")|... </CODE></PRE> <P>or</P> <PRE><CODE>source="/export/home/gpiadmin/logs/access_log" NOT " 200 Bytes" NOT " 301 Bytes" NOT " 302 Bytes"|... </CODE></PRE> <P>or even</P> <PRE><CODE>source="/export/home/logs/access_log" | rex ".*?HTTP\/\d+\.\d+\" (?&lt;status_code&gt;\d+)"|chart count by status_code | search NOT( status_code=200 ORstaus_code=301) </CODE></PRE> Fri, 28 Aug 2015 14:01:51 GMT FritzWittwer_ol 2015-08-28T14:01:51Z https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-chart-count-search-returning-HTTP-codes-to/m-p/188462#M54301 <P>Hi All,</P> <PRE><CODE>source="/export/home/logs/access_log" | rex ".*?HTTP\/\d+\.\d+\" (?&lt;status_code&gt;\d+)"|chart count by status_code </CODE></PRE> <P>This is giving me the all the HTTP codes and the corresponding counts as below</P> <H2>Code Count</H2> <P>200 5000<BR /> 404 1,321<BR /> 500 8,888<BR /> 301 9,102</P> <P>I don't want the 200 and 301 codes in my result set. For this, I tried the below logic, but never worked. It still lists the 200 and 301.</P> <P>I need something like:</P> <H2>Code Count</H2> <P>404 1,321<BR /> 500 8,888</P> <PRE><CODE>source="/export/home/gpiadmin/logs/access_log" NOT (" 200 Bytes" AND " 301 Bytes" AND " 302 Bytes")|rex ".*?HTTP\/\d+\.\d+\" (?&lt;status_code&gt;\d+)"|chart count by status_code </CODE></PRE> <P>Data String I am searching against:</P> <PRE><CODE>Time Taken: 120039666 URL_STRING: /shop/dept_outfit.jsp 11.111.111.11 - - [28/Aug/2015:02:54:20 -0700] "GET /shop/dept_outfit.jsp HTTP/1.0" 200 Bytes: 56814 "-" "Mozilla/5.0 (compatible; test/1.0; <A href="http://open.test.com/dev/test)&quot;" target="test_blank">http://open.test.com/dev/test)"</A>; </CODE></PRE> <P>Please advise.</P> Fri, 28 Aug 2015 12:40:24 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-chart-count-search-returning-HTTP-codes-to/m-p/188462#M54301 mcvr 2015-08-28T12:40:24Z https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-chart-count-search-returning-HTTP-codes-to/m-p/188463#M54302 <P>Try this:</P> <PRE><CODE>source="/export/home/gpiadmin/logs/access_log" NOT (" 200 Bytes" OR " 301 Bytes" OR " 302 Bytes")|rex ".*?HTTP\/\d+\.\d+\" (?&lt;status_code&gt;\d+)"|chart count by status_code </CODE></PRE> Fri, 28 Aug 2015 13:51:24 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-chart-count-search-returning-HTTP-codes-to/m-p/188463#M54302 richgalloway 2015-08-28T13:51:24Z https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-chart-count-search-returning-HTTP-codes-to/m-p/188464#M54303 <P>Thre is more than one way as in Perl <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <PRE><CODE>source="/export/home/gpiadmin/logs/access_log" NOT (" 200 Bytes" OR" 301 Bytes" OR" 302 Bytes")|... </CODE></PRE> <P>or</P> <PRE><CODE>source="/export/home/gpiadmin/logs/access_log" NOT " 200 Bytes" NOT " 301 Bytes" NOT " 302 Bytes"|... </CODE></PRE> <P>or even</P> <PRE><CODE>source="/export/home/logs/access_log" | rex ".*?HTTP\/\d+\.\d+\" (?&lt;status_code&gt;\d+)"|chart count by status_code | search NOT( status_code=200 ORstaus_code=301) </CODE></PRE> Fri, 28 Aug 2015 14:01:51 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-chart-count-search-returning-HTTP-codes-to/m-p/188464#M54303 FritzWittwer_ol 2015-08-28T14:01:51Z