Hello, I know this has been brought up a lot already but I didn't find a clear answer.
I have this template of log : pamandzi squid3: 1468405079.420 1 10.138.7.25 TCP_HIT/200 8573 GET http://static.cedex.it.showroomprive.com/v3/0/_img/wait2.gif - NONE/- image/gif And I have created 3 extractors for it : squid3: [0-9]{1,50}.[0-9]{1,50}[ ]{1,10}[0-9]{1,50} ([0-9.]{1,50}) => will return the cient ip address. Works fine [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3} [a-zA-Z0-9.-/%:_=]{1,50} ([0-9]{1,10}) => returns the bytes used in the request. Works fine too. My problem comes wit the last extractor. At the moment I have this : GET http://[a-zA-Z0-9-]{1,1000}.([a-zA-Z0-9-.]{1,1000}) My reasonning when I created this was that most URLs I saw started with one word, then there is the domain name, and then there is all that comes after the first / It works fine when there is exactly one word before the domain name (example : http://www.facebook.com), but obviously doesn't when there is none, or more that one. How can I make a regex that will take only the domain name, aka the last two things before the / ? Thanks a lot. Ps : I know the two working reges are kinda ugly and not clean (with all those {1,1000} etc). Please don't pay attention to that :S -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/94991eab-6a5d-4014-ac76-f138702bbd0b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
