Well I'm a moron and forgot domain names could have more than two words too so, I'm kinda lost as to what I can do here ^^'
On Wednesday, July 13, 2016 at 2:41:33 PM UTC+4, Zoizo wrote: > > Hello, > > I know this has been brought up a lot already but I didn't find a clear > answer. > > I have this template of log : > > pamandzi squid3: 1468405079.420 1 10.138.7.25 TCP_HIT/200 8573 GET > http://static.cedex.it.showroomprive.com/v3/0/_img/wait2.gif - NONE/- > image/gif > > And I have created 3 extractors for it : > > squid3: [0-9]{1,50}.[0-9]{1,50}[ ]{1,10}[0-9]{1,50} ([0-9.]{1,50}) => will > return the cient ip address. Works fine > > [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3} [a-zA-Z0-9.-/%:_=]{1,50} > ([0-9]{1,10}) => returns the bytes used in the request. Works fine too. > > My problem comes wit the last extractor. At the moment I have this : > > GET http://[a-zA-Z0-9-]{1,1000}.([a-zA-Z0-9-.]{1,1000}) > > My reasonning when I created this was that most URLs I saw started with > one word, then there is the domain name, and then there is all that comes > after the first / > It works fine when there is exactly one word before the domain name > (example : http://www.facebook.com), but obviously doesn't when there is > none, or more that one. > > How can I make a regex that will take only the domain name, aka the last > two things before the / ? > > Thanks a lot. > > > Ps : I know the two working reges are kinda ugly and not clean (with all > those {1,1000} etc). Please don't pay attention to that :S > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/6d1e3622-e83f-4a6a-9489-1625870a7d94%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
