I am trying to create a query that returns documents with clientside and servererror. I tested various ways using regexp, span qury.. all seems working but not confident since the query doesn't consider the position of the matching. Following is what I tried. Any suggestion how I can avoid any false positives? what I needed to match is with digit after 4th space, unfortunately can't do regular regex here. Anyway I can match the position of token?
{
"query": {
"bool": {
"must": [
{
"regexp": {
"message": {
"value": "<400-599>"
}
}
}
]
}
}
}
or
{ "query": { "span_first": { "match": { "span_term": { "message": "401" } }, "end": 17 } } }
this second one works but can't have range of values :)? Any suggestion how such query can be written?
document sample:
{"message":"0:0:0:0:0:0:0:1 - - [11/Jul/2019:11:07:51 -0500] "POST /hello/ HTTP/1.1" 403 131 8080 20 ms"}
{"message":"0:0:0:0:0:0:0:1 - - [11/Jul/2019:11:07:51 -0500] "POST /hello/ HTTP/1.1" 500 332 8080 5 ms"}
{"message":"0:0:0:0:0:0:0:1 - - [11/Jul/2019:11:07:51 -0500] "POST /hello/ HTTP/1.1" 403 443 8080 500 ms"}