Sample of Regulat Expression

([^\-]*)\-\s([^\s]*)\s([^\"]*)\"([^\s]*)\s([^\"]*)"\s([0-9]*)\s([0-9]*).*

Apply on access.log file:

([^\-]*)      // characters up to dash become first field
\-\s          // dash space
([^\s]*)      // characters up to next space become second field
\s            // space
([^\"]*)      // characters up to quote become third field
\"            // quote
([^\s]*)      // characters up to space become fourth field
\s            // space
([^\"]*)      // characters up to quote become fifth field
"\s           // quote and space
([0-9]*)      // digits become sixth field
\s            // space
([0-9]*)      // digits become seventh field
.*            // anything else on the line ignored

To filter so you only see certain codes, eg. 403 in the sixth field:

([^\-]*)\-\s([^\s]*)\s([^\"]*)\"([^\s]*)\s([^\"]*)"\s(403)\s([0-9]*).*

if you don't want to see the 403 as a field remove the grouping parenthesis:

([^\-]*)\-\s([^\s]*)\s([^\"]*)\"([^\s]*)\s([^\"]*)"\s403\s([0-9]*).*

To use variable substitution, insert a ${code}

([^\-]*)\-\s([^\s]*)\s([^\"]*)\"([^\s]*)\s([^\"]*)"\s(${code})\s([0-9]*).*

I've reinserted the grouping parenthesis in this example, so the actual code value becomes a field.

-- SooGuan - 27 Dec 2005