[Text Datasource]: Regular Expressions

([^\-]*)\-\s([^\s]*)\s([^\"]*)\"([^\s]*)\s([^\"]*)"\s([0-9]*)\s([0-9]*).*

Apply on access.log file:

  •  ([^\-]*)  // characters up to dash become first field
    
  • \-\s    // dash space
    
  • ([^\s]*)  // characters up to next space become second field
    
  • \s    // space
    
  • ([^\"]*)  // characters up to quote become third field
    
  • \"    // quote
    
  • ([^\s]*)  // characters up to space become fourth field
    
  • \s    // space
    
  • ([^\"]*)  // characters up to quote become fifth field
    
  • "\s     // quote and space
    
  • ([0-9]*)  // digits become sixth field
    
  • \s    // space
    
  • ([0-9]*)  // digits become seventh field
    
  • .*    // anything else on the line ignored
    

To filter so you only see certain codes, eg. 403 in the sixth field:

([^\-]*)\-\s([^\s]*)\s([^\"]*)\"([^\s]*)\s([^\"]*)"\s(403)\s([0-9]*).*

if you don’t want to see the 403 as a field remove the grouping parenthesis:

([^\-]*)\-\s([^\s]*)\s([^\"]*)\"([^\s]*)\s([^\"]*)"\s403\s([0-9]*).*

To use variable substitution, insert a ${code}

([^\-]*)\-\s([^\s]*)\s([^\"]*)\"([^\s]*)\s([^\"]*)"\s(${code})\s([0-9]*).*

I’ve reinserted the grouping parenthesis in this example, so the actual code value becomes a field.