Query on CLF log

I am trying to create a query that returns documents with clientside and servererror. I tested various ways using regexp, span qury.. all seems working but not confident since the query doesn't consider the position of the matching. Following is what I tried. Any suggestion how I can avoid any false positives? what I needed to match is with digit after 4th space, unfortunately can't do regular regex here. Anyway I can match the position of token?

{
  "query": {
    "bool": {
      "must": [
        {
          "regexp": {
            "message": {
              "value": "<400-599>"   
            }
          }
        }
      ]
    }
  }
}

or

    {
      "query": {
        "span_first": {
          "match": {
            "span_term": {
              "message": "401"
            }
          },
          "end": 17
        }
      }
    }

this second one works but can't have range of values :)? Any suggestion how such query can be written?

document sample:
{"message":"0:0:0:0:0:0:0:1 - - [11/Jul/2019:11:07:51 -0500] "POST /hello/ HTTP/1.1" 403 131 8080 20 ms"}
{"message":"0:0:0:0:0:0:0:1 - - [11/Jul/2019:11:07:51 -0500] "POST /hello/ HTTP/1.1" 500 332 8080 5 ms"}
{"message":"0:0:0:0:0:0:0:1 - - [11/Jul/2019:11:07:51 -0500] "POST /hello/ HTTP/1.1" 403 443 8080 500 ms"}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.