Splunk Search

How do I edit my chart count search returning HTTP codes to filter out codes 200 and 301 from the list of results?

mcvr
New Member

Hi All,

source="/export/home/logs/access_log" | rex ".*?HTTP\/\d+\.\d+\" (?<status_code>\d+)"|chart count by status_code

This is giving me the all the HTTP codes and the corresponding counts as below

Code Count

200 5000
404 1,321
500 8,888
301 9,102

I don't want the 200 and 301 codes in my result set. For this, I tried the below logic, but never worked. It still lists the 200 and 301.

I need something like:

Code Count

404 1,321
500 8,888

source="/export/home/gpiadmin/logs/access_log" NOT (" 200 Bytes" AND " 301 Bytes" AND " 302 Bytes")|rex ".*?HTTP\/\d+\.\d+\" (?<status_code>\d+)"|chart count by status_code

Data String I am searching against:

Time Taken: 120039666 URL_STRING: /shop/dept_outfit.jsp 11.111.111.11 - - [28/Aug/2015:02:54:20 -0700] "GET /shop/dept_outfit.jsp HTTP/1.0" 200 Bytes: 56814 "-" "Mozilla/5.0 (compatible; test/1.0; http://open.test.com/dev/test)";

Please advise.

Tags (3)
0 Karma

FritzWittwer_ol
Contributor

Thre is more than one way as in Perl :winking_face:

source="/export/home/gpiadmin/logs/access_log" NOT (" 200 Bytes" OR" 301 Bytes" OR" 302 Bytes")|...

or

source="/export/home/gpiadmin/logs/access_log" NOT " 200 Bytes" NOT " 301 Bytes" NOT " 302 Bytes"|...

or even

source="/export/home/logs/access_log" | rex ".*?HTTP\/\d+\.\d+\" (?<status_code>\d+)"|chart count by status_code | search NOT( status_code=200 ORstaus_code=301)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this:

source="/export/home/gpiadmin/logs/access_log" NOT (" 200 Bytes" OR " 301 Bytes" OR " 302 Bytes")|rex ".*?HTTP\/\d+\.\d+\" (?<status_code>\d+)"|chart count by status_code
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...