Splunk Search

How to search for status code in log message

kodali21055
New Member

Hi,

I am trying to search for status code 404 in the below log message in my log file. The entries in my log file are as below
Complete with HTTP Response code : 404 in 100 ms.

Complete with HTTP Response code : 200 in 404 ms.

I am using regex as rex "(?<404errrcode>;Complete with HTTP Response code : 404|Complete with HTTP Response code : 404)"
The problem I am facing is, this regex is returning all the entries which ever is matching with 404. So I am getting the count even for status code 200 since 404 is present in that line.

Can you please help me to come up with regex to give the count for only 404 which is present after (:) and it should not match with milli seconds (ms) value.

Tags (1)
0 Karma

Ayn
Legend

I think you're confusing some things here: first of all, there are two main commands related to applying regular expressions to searches. One is rex, which is used for creating a field extraction inline in your search. It does not filter anything, it just creates a field with a value if it finds a match based on the regex it's supplied with. The other one is regex which filters search results based on a regex.

So, if you want to FILTER the results using a regex, regex is the command you should use. However, in your case, I don't see the point in using regex, because all you are doing is filtering on some static text. My suggestion would be to just add this as a filter in your initial search command instead:

... AND "Complete with HTTP Response code : 404"

...or, you could still extract the response code separately and then filter based on the value of that field:

... | rex "Complete with HTTP Response code : (?<response_code>\d+)" | search response_code=404

Ayn
Legend

I guess it could be done, but isn't it enough that it says "http_response_code" in the column header?

If not, a general solution would be to use eval:

rex ... | eval http_response_code="http_response_code ".http_response_code | chart ...
0 Karma

kodali21055
New Member

Hi, Thanks for the information.
I am using the search as
rex "Complete with HTTP Response code : (?\d+)" | chart count by http_response_code

My requirement is to count the total no. of requests with status code 200.

With this, I am getting the columns as 200, 204, 404, 500.
Is it possible to rename the columns 200 to http_status_code 200

0 Karma

johandk
Path Finder

Try this:

(?<404errorcode>Complete\swith\sHTTP\sResponse\scode\s:\s404\sin\s\d+\sms)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...