Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I edit my chart count search returning HTTP codes to filter out codes 200 and 301 from the list of results?

mcvr
New Member
‎08-28-2015 05:40 AM

Hi All,

source="/export/home/logs/access_log" | rex ".*?HTTP\/\d+\.\d+\" (?<status_code>\d+)"|chart count by status_code

This is giving me the all the HTTP codes and the corresponding counts as below

Code Count

200 5000
404 1,321
500 8,888
301 9,102

I don't want the 200 and 301 codes in my result set. For this, I tried the below logic, but never worked. It still lists the 200 and 301.

I need something like:

Code Count

404 1,321
500 8,888

source="/export/home/gpiadmin/logs/access_log" NOT (" 200 Bytes" AND " 301 Bytes" AND " 302 Bytes")|rex ".*?HTTP\/\d+\.\d+\" (?<status_code>\d+)"|chart count by status_code

Data String I am searching against:

Time Taken: 120039666 URL_STRING: /shop/dept_outfit.jsp 11.111.111.11 - - [28/Aug/2015:02:54:20 -0700] "GET /shop/dept_outfit.jsp HTTP/1.0" 200 Bytes: 56814 "-" "Mozilla/5.0 (compatible; test/1.0; http://open.test.com/dev/test)";

Please advise.

Tags (3)
0 Karma
Reply

FritzWittwer_ol
Contributor
‎08-28-2015 07:01 AM

Thre is more than one way as in Perl 😉

source="/export/home/gpiadmin/logs/access_log" NOT (" 200 Bytes" OR" 301 Bytes" OR" 302 Bytes")|...

or

source="/export/home/gpiadmin/logs/access_log" NOT " 200 Bytes" NOT " 301 Bytes" NOT " 302 Bytes"|...

or even

source="/export/home/logs/access_log" | rex ".*?HTTP\/\d+\.\d+\" (?<status_code>\d+)"|chart count by status_code | search NOT( status_code=200 ORstaus_code=301)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-28-2015 06:51 AM

Try this:

source="/export/home/gpiadmin/logs/access_log" NOT (" 200 Bytes" OR " 301 Bytes" OR " 302 Bytes")|rex ".*?HTTP\/\d+\.\d+\" (?<status_code>\d+)"|chart count by status_code
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...