I'm trying to pick up the status codes for a given api, 4XX and 5XX. I've typically done this with something like this: (changed the index, source and sourceUrl to be generic)
index="ralph" source="/var/log/containers/api.log" sourceUrl="/url/api/api_name" (statusCode=4* OR statusCode=\5*)
| timechart span=15m@m usenull=false count(statusCode) by statusCode
This has worked in the past, but I'm running into a situation for some api's where my search is returning values such as: 4, 40, 41 44, 401, 403, 404, 5, 50, 51, 500, 503, 504, etc.
My goal is to exclude anything that is NOT three digits (i.e. 4, 40, 41 44, 5, 50, 51) I've tried doing something like: statusCode=40* this excluded everything except 40. I tried statusCode=40\d Thought i'd try, =40? but nothing is working.
Is there a wildcard combo that would allow me to search where it must contain the 40 and one additional number? So I'd get just 400, 401, 4XX
I'm not very experienced with regex, but it seems like that might be the path?
Appreciate your help!
Thanks, rick
A number of ways to do this, here are two ways
| where match(statusCode, "^[45][01]\d$")
| regex statusCode="^[45][01]\d$"
use this after the initial search. It allows for the middle digit to be a 0 or 1, but you can change that as needed. The 3rd digit can be any number.
@bowesmanaThanks!!
I've tried using both in my query but was having a bit of trouble. I'm continuing to edit my query with your recommendations to get it to work. Your recommendation on using the |where command turned me on to using it with greater than, less than.
| where statusCode>=400 AND statusCode<499
This solved my immediate need and gave me a good example on using regex in my queries.
Thanks!!