I am new to Splunk logging and I have a host name and source that I would like to create an alert for. I want to create an alert for when there are 400's, 500's and instances of "error" being returned. I know how to write a regex but not how to pass it with Splunk's syntax. I was trying something like this:
host="hostname" source="source_name.log" error OR regex "/ 5\d\d /" OR regex "/ 4\d\d /"
I am familiar with how to create the alerts from a saved search but this syntax is not returning anything and the Splunk documentation for regular expressions is very vague. What is the cleanest and most efficient way to go about this?
Edit: Updated post to correct regex so it displays properly with the comment markdown. Also, I know the dataset I'm searching is returning 400's, 500's, and errors. If I try the same search and pass it 400 OR 403 OR 404 et cetera it will return results but I get no results when trying with the regex syntax.
My suggestion is, since you're looking for specific information in specific places in your logs, setup field extractions and then do wildcard matching on the specific fields. For instance, you could extract HTTP response codes to a field, let's call it response_code, and then do
host="hostname" source="source_name.log" (error OR response_code="4*" OR response_code="5*")