Splunk Search

How do I edit my chart count search returning HTTP codes to filter out codes 200 and 301 from the list of results?

mcvr
New Member

Hi All,

source="/export/home/logs/access_log" | rex ".*?HTTP\/\d+\.\d+\" (?<status_code>\d+)"|chart count by status_code

This is giving me the all the HTTP codes and the corresponding counts as below

Code Count

200 5000
404 1,321
500 8,888
301 9,102

I don't want the 200 and 301 codes in my result set. For this, I tried the below logic, but never worked. It still lists the 200 and 301.

I need something like:

Code Count

404 1,321
500 8,888

source="/export/home/gpiadmin/logs/access_log" NOT (" 200 Bytes" AND " 301 Bytes" AND " 302 Bytes")|rex ".*?HTTP\/\d+\.\d+\" (?<status_code>\d+)"|chart count by status_code

Data String I am searching against:

Time Taken: 120039666 URL_STRING: /shop/dept_outfit.jsp 11.111.111.11 - - [28/Aug/2015:02:54:20 -0700] "GET /shop/dept_outfit.jsp HTTP/1.0" 200 Bytes: 56814 "-" "Mozilla/5.0 (compatible; test/1.0; http://open.test.com/dev/test)";

Please advise.

Tags (3)
0 Karma

FritzWittwer_ol
Contributor

Thre is more than one way as in Perl 😉

source="/export/home/gpiadmin/logs/access_log" NOT (" 200 Bytes" OR" 301 Bytes" OR" 302 Bytes")|...

or

source="/export/home/gpiadmin/logs/access_log" NOT " 200 Bytes" NOT " 301 Bytes" NOT " 302 Bytes"|...

or even

source="/export/home/logs/access_log" | rex ".*?HTTP\/\d+\.\d+\" (?<status_code>\d+)"|chart count by status_code | search NOT( status_code=200 ORstaus_code=301)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this:

source="/export/home/gpiadmin/logs/access_log" NOT (" 200 Bytes" OR " 301 Bytes" OR " 302 Bytes")|rex ".*?HTTP\/\d+\.\d+\" (?<status_code>\d+)"|chart count by status_code
---
If this reply helps you, Karma would be appreciated.
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...