I have a log in ELK index like below
2024-06-24T05:05:26.31412196Z stdout F {"time": "2024-06-24T05:05:26+00:00", "remote_addr": "-", "x_forwarded_for": "XX.XX.XX.XX, XX.XX.XX.XX", "request_id": "xxxxxxxxxxxxxxxxxxxx","remote_user": "-", "bytes_sent": 833, "request_time": 0.120, *"status": 401*, "vhost": "xxxxxxxxxxxxxxx.com", "request_proto": "HTTP/1.1","path": "/xxxxx/xxxxxxxxx", "request_query": "-", "request_length": 550, "duration": 0.120,"method": "POST", "http_referrer": "-","http_user_agent": "okhttp/4.9.2", "upstream_cache_status": "-" }
The above value is captured in the log.message field. Now, I would like to filter out the log message which status code from 400 to 499. I am unable to write the lucene regex query in ELK.
Has anyone faced this earlier and any suggestion to filter out the value?
Your help is much appreciated.
I have tried the below lucene query
log: “”status”: 4*”+”, “vhost”:”
log: “”status”: 4(d)+, “vhost”:”
Nothing worked.
Satheesh Pandian Jeganathan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.