I'm trying to pick up the status codes for a given api, 4XX and 5XX. I've typically done this with something like this: (changed the index, source and sourceUrl to be generic) index="ralph" source="/var/log/containers/api.log" sourceUrl="/url/api/api_name" (statusCode=4* OR statusCode=\5*) | timechart span=15m@m usenull=false count(statusCode) by statusCode This has worked in the past, but I'm running into a situation for some api's where my search is returning values such as: 4, 40, 41 44, 401, 403, 404, 5, 50, 51, 500, 503, 504, etc. My goal is to exclude anything that is NOT three digits (i.e. 4, 40, 41 44, 5, 50, 51) I've tried doing something like: statusCode=40* this excluded everything except 40. I tried statusCode=40\d Thought i'd try, =40? but nothing is working. Is there a wildcard combo that would allow me to search where it must contain the 40 and one additional number? So I'd get just 400, 401, 4XX I'm not very experienced with regex, but it seems like that might be the path? Appreciate your help! Thanks, rick
... View more