Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Exclude statusCodes that are Not Three Digits

rick4039
Explorer
‎02-09-2021 01:03 PM

I'm trying to pick up the status codes for a given api, 4XX and 5XX.  I've typically done this with something like this: (changed the index, source and sourceUrl to be generic)

index="ralph" source="/var/log/containers/api.log" sourceUrl="/url/api/api_name" (statusCode=4* OR statusCode=\5*)
| timechart span=15m@m usenull=false count(statusCode) by statusCode

This has worked in the past, but I'm running into a situation for some api's where my search is returning values such as: 4, 40, 41 44, 401, 403, 404, 5, 50, 51, 500, 503, 504, etc.

My goal is to exclude anything that is NOT three digits (i.e. 4, 40, 41 44, 5, 50, 51) I've tried doing something like: statusCode=40* this excluded everything except 40. I tried statusCode=40\d  Thought i'd try, =40? but nothing is working. 

Is there a wildcard combo that would allow me to search where it must contain the 40 and one additional number? So I'd get just 400, 401, 4XX

I'm not very experienced with regex, but it seems like that might be the path?

Appreciate your help!
Thanks, rick

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-09-2021 01:24 PM

@rick4039 

A number of ways to do this, here are two ways

 

| where match(statusCode, "^[45][01]\d$")

| regex statusCode="^[45][01]\d$"

 

 use this after the initial search. It allows for the middle digit to be a 0 or 1, but you can change that as needed. The 3rd digit can be any number.

0 Karma
Reply

rick4039
Explorer
‎02-10-2021 01:31 PM

@bowesmanaThanks!!

I've tried using both in my query but was having a bit of trouble.  I'm continuing to edit my query with your recommendations to get it to work.  Your recommendation on using the |where command turned me on to using it with greater than, less than. 

| where statusCode>=400 AND statusCode<499

This solved my immediate need and gave me a good example on using regex in my queries.

Thanks!!

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...