Ok I have resolved the problem (it seems).
I created two extractors, one with the condition matches regular
expression" *GET [a-z]+://[^/]+\.([^/]+\.[^/]+)/* and the other with *GET
[a-z]+://[a-zA-Z0-9]{1,1000}.[a-zA-Z0-9]{2,4}/.*
Both under the same field name. It didn't create two of the same fields
fortunately.
Thanks again Jason!
On Friday, July 15, 2016 at 8:36:13 AM UTC+4, Zoizo wrote:
>
> Hi,
>
> I tested your second regex (what I need is the two words, facebok.com)
> and it works fine when there are three or more words, and sadly doesn't
> when there are exactly two words (http://facebook.com for example).
> Is there a way to add an alternation to the regex, like, if the first
> regex doesn't match any group, try GET [a-z]+://([^/]+)/ instead ?
> I tried this : GET [a-z]+://[^/]+\.([^/]+\.[^/]+)/ | GET [a-z]+://([^/]+)/
> but it says nothing will be extracted. I must have a made a syntax mistake
> since I haven't used that before.
>
> Thanks lots!
>
> On Thursday, July 14, 2016 at 11:33:10 AM UTC+4, Jason Haar wrote:
>>
>>
>> On Wed, Jul 13, 2016 at 10:57 PM, Zoizo <[email protected]> wrote:
>>
>>> Well I'm a moron and forgot domain names could have more than two words
>>> too so, I'm kinda lost as to what I can do here ^^'
>>>
>>
>> Try a regex like "GET [a-z]+?://[^\.]+\.([^/]+)/"
>>
>> On "facebook.com" that would match "com". Assuming that's what you want
>> of course (I stick to "GET [a-z]+://([^/]+)/" myself)
>>
>> If you want the last two, then "GET [a-z]+://[^/]+\.([^/]+\.[^/]+)/"
>> should do that
>>
>> I know "https?" would be better - but I'm not near graylog at the moment
>> and I don't know if it's weird Java-based regex library supports that - so
>> I stuck with [a-z]+ to match "http" and "https" (and I guess "ftp" too)
>>
>>
>> --
>> Cheers
>>
>> Jason Haar
>> Information Security Manager, Trimble Navigation Ltd.
>> Phone: +1 408 481 8171
>> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/7ea553c3-0461-46d0-825e-b17ba1156f3c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
