Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Exclude statusCodes that are Not Three Digits

rick4039
Explorer
‎02-09-2021 01:03 PM

I'm trying to pick up the status codes for a given api, 4XX and 5XX.  I've typically done this with something like this: (changed the index, source and sourceUrl to be generic)

index="ralph" source="/var/log/containers/api.log" sourceUrl="/url/api/api_name" (statusCode=4* OR statusCode=\5*)
| timechart span=15m@m usenull=false count(statusCode) by statusCode

This has worked in the past, but I'm running into a situation for some api's where my search is returning values such as: 4, 40, 41 44, 401, 403, 404, 5, 50, 51, 500, 503, 504, etc.

My goal is to exclude anything that is NOT three digits (i.e. 4, 40, 41 44, 5, 50, 51) I've tried doing something like: statusCode=40* this excluded everything except 40. I tried statusCode=40\d  Thought i'd try, =40? but nothing is working. 

Is there a wildcard combo that would allow me to search where it must contain the 40 and one additional number? So I'd get just 400, 401, 4XX

I'm not very experienced with regex, but it seems like that might be the path?

Appreciate your help!
Thanks, rick

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-09-2021 01:24 PM

@rick4039 

A number of ways to do this, here are two ways

 

| where match(statusCode, "^[45][01]\d$")

| regex statusCode="^[45][01]\d$"

 

 use this after the initial search. It allows for the middle digit to be a 0 or 1, but you can change that as needed. The 3rd digit can be any number.

0 Karma
Reply

rick4039
Explorer
‎02-10-2021 01:31 PM

@bowesmanaThanks!!

I've tried using both in my query but was having a bit of trouble.  I'm continuing to edit my query with your recommendations to get it to work.  Your recommendation on using the |where command turned me on to using it with greater than, less than. 

| where statusCode>=400 AND statusCode<499

This solved my immediate need and gave me a good example on using regex in my queries.

Thanks!!

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...