Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Exclude statusCodes that are Not Three Digits

rick4039
Explorer
‎02-09-2021 01:03 PM

I'm trying to pick up the status codes for a given api, 4XX and 5XX.  I've typically done this with something like this: (changed the index, source and sourceUrl to be generic)

index="ralph" source="/var/log/containers/api.log" sourceUrl="/url/api/api_name" (statusCode=4* OR statusCode=\5*)
| timechart span=15m@m usenull=false count(statusCode) by statusCode

This has worked in the past, but I'm running into a situation for some api's where my search is returning values such as: 4, 40, 41 44, 401, 403, 404, 5, 50, 51, 500, 503, 504, etc.

My goal is to exclude anything that is NOT three digits (i.e. 4, 40, 41 44, 5, 50, 51) I've tried doing something like: statusCode=40* this excluded everything except 40. I tried statusCode=40\d  Thought i'd try, =40? but nothing is working. 

Is there a wildcard combo that would allow me to search where it must contain the 40 and one additional number? So I'd get just 400, 401, 4XX

I'm not very experienced with regex, but it seems like that might be the path?

Appreciate your help!
Thanks, rick

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-09-2021 01:24 PM

@rick4039 

A number of ways to do this, here are two ways

 

| where match(statusCode, "^[45][01]\d$")

| regex statusCode="^[45][01]\d$"

 

 use this after the initial search. It allows for the middle digit to be a 0 or 1, but you can change that as needed. The 3rd digit can be any number.

0 Karma
Reply

rick4039
Explorer
‎02-10-2021 01:31 PM

@bowesmanaThanks!!

I've tried using both in my query but was having a bit of trouble.  I'm continuing to edit my query with your recommendations to get it to work.  Your recommendation on using the |where command turned me on to using it with greater than, less than. 

| where statusCode>=400 AND statusCode<499

This solved my immediate need and gave me a good example on using regex in my queries.

Thanks!!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...