Not that I know of. You may be able to accomplish something using pipeline processors as they mature a bit more.
Regards, Brandon On Friday, December 9, 2016 at 1:34:52 PM UTC-6, Martin Germano wrote: > > > BKeep, i undestand. So, to make it simple: If possible two combine two > (or more) extractors? > > Thanks. > > On Friday, December 9, 2016 at 4:13:07 PM UTC-3, BKeep wrote: >> >> While regex does allow capturing from multiple groups, I don't think >> graylog allows doing multiple group captures, at-least that's what I think >> you are asking for. If you look under the regex field when building an >> extractor there is a note "The regular expression used for extraction. >> *First >> matcher* group is used." >> >> I'm guessing here so correct me if I am wrong. Are you wanting to >> visualize the connections from ip1 =>ip2? so you are looking to extract ip1 >> and ip2 and put the results into a field? Something like connections: >> 10.10.01.10 => 210.10.10.01? if so I don't think it is possible with using >> a standard regex only. >> >> This may be helpful down the road. >> http://www.rexegg.com/regex-quickstart.html >> <http://www.google.com/url?q=http%3A%2F%2Fwww.rexegg.com%2Fregex-quickstart.html&sa=D&sntz=1&usg=AFQjCNEtSJFGCB1m5-73oq5JeoLG62W_aA> >> >> On Friday, December 9, 2016 at 11:31:43 AM UTC-6, Martin Germano wrote: >>> >>> >>> >>> Hi BKeep, i already tested the market place extrators. But i have this >>> issue: >>> i want to graph more than two values: For example dstip=* and srcip=* >>> and subtype=virus action=* >>> >>> i can't found a regular expression >>> >>> Is posible? >>> Thanks for your help >>> >>> On Thursday, December 8, 2016 at 4:45:37 PM UTC-3, BKeep wrote: >>>> >>>> I may be wrong, but that looks like a fortinet/fortigate log. Have you >>>> tried looking at the fortigate stuff available in the marketplace for some >>>> examples? >>>> >>>> >>>> https://marketplace.graylog.org/addons/a91344aa-fced-4d1a-928d-f3ded6e5a2f8 >>>> >>>> https://marketplace.graylog.org/addons/d41d3728-4722-4de6-b697-71efa579c4e2 >>>> >>>> <https://www.google.com/url?q=https%3A%2F%2Fmarketplace.graylog.org%2Faddons%2Fd41d3728-4722-4de6-b697-71efa579c4e2&sa=D&sntz=1&usg=AFQjCNH5z9m0xBo5GhbPXY1wIpaUPN1ILA> >>>> >>>> I create extractors that will run on the input where the expected logs >>>> will flow in. >>>> What I do to match the src ip is this >>>> srcip="?([0-9.]+) >>>> >>>> What I do to match the dst ip is this >>>> dstip="?([0-9.]+) >>>> >>>> Regards, >>>> Brandon >>>> >>>> On Thursday, December 8, 2016 at 1:06:59 PM UTC-6, Martin Germano wrote: >>>>> >>>>> >>>>> Maybe, ok i'll try it. Later i will post the expression if i get it. >>>>> >>>>> Thanks. >>>>> >>>>> On Thursday, December 8, 2016 at 1:58:27 PM UTC-3, Jochen Schalanda >>>>> wrote: >>>>>> >>>>>> Hi Martin, >>>>>> >>>>>> your regular expression has to work with Java's regular expression >>>>>> engine. >>>>>> >>>>>> You can use http://www.regexplanet.com/advanced/java/index.html to >>>>>> fiddle around with the regular expression and your message. >>>>>> >>>>>> Cheers, >>>>>> Jochen >>>>>> >>>>>> On Thursday, 8 December 2016 17:36:24 UTC+1, Martin Germano wrote: >>>>>>> >>>>>>> >>>>>>> Hi Jochen, for example this msg: >>>>>>> >>>>>>> "date=2016-12-07 time=17:43:01 logid=0262034961 type=utm* >>>>>>> subtype=virus* eventtype=scanerror level=notice vd="root" >>>>>>> *msg="File* reached uncompressed size limit." action=monitored >>>>>>> service=HTTP sessionid=3723464* srcip=1.1.1.1 dstip=2.2.2.2* >>>>>>> srcport=17633 dstport=80 srcintf="port1" dstintf="port2" proto=6 >>>>>>> direction=incoming filename="2017-calendar-template.zip" >>>>>>> quarskip=No-skip >>>>>>> url=" >>>>>>> http://downloadscdn3.freepik.com/d/911040/1107/1/212/2017-calendar-template.zip?ttl=1481143658&token=24b45d89f0dbd3e92d1fe274ff03cb87"; >>>>>>> >>>>>>> profile="default" user="" agent="Mozilla/5.0" >>>>>>> analyticscksum="f08144093ffdea250ba225babade9e25e5e9f399dd93bdc21fa9b5fd49efc050" >>>>>>> >>>>>>> analyticssubmit=false crscore=50 crlevel=critical" >>>>>>> >>>>>>> i put in bold letters all matches. >>>>>>> >>>>>>> Regex: >>>>>>> (srcip=)|(dstip=)|(subtype=virus)|(attack=[^\s]+)|(msg=[^\s]+)|(\d{*.}\d)|\b(?:\d{1,3}\.){3}\d{1,3} >>>>>>> >>>>>>> i use this online software: http://regexr.com/ >>>>>>> >>>>>>> >>>>>>> >>>>>>> Thanks. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Thursday, December 8, 2016 at 7:25:44 AM UTC-3, Jochen Schalanda >>>>>>> wrote: >>>>>>>> >>>>>>>> Hi Martin, >>>>>>>> >>>>>>>> which message should be matched by this regular expression and what >>>>>>>> should be the result in your opinion? >>>>>>>> >>>>>>>> It looks a bit strange to me. >>>>>>>> >>>>>>>> Cheers, >>>>>>>> Jochen >>>>>>>> >>>>>>>> On Wednesday, 7 December 2016 22:33:42 UTC+1, Martin Germano wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> Hi all, i newby on Graylog: >>>>>>>>> >>>>>>>>> I try to get works this regex: >>>>>>>>> >>>>>>>>> >>>>>>>>>> (srcip=)|(dstip=)|(subtype=virus)|(attack=[^\s]+)|(msg=[^\s]+)|(\d{*.}\d)|\b(?:\d{1,3}\.){3}\d{1,3} >>>>>>>>>> >>>>>>>>> >>>>>>>>> I get this error: >>>>>>>>> >>>>>>>>> *Could not try regular expression. Make sure that it is valid.* >>>>>>>>> >>>>>>>>> *Details: Error: cannot POST >>>>>>>>> http://10.10.10.10:13900/tools/regex_tester >>>>>>>>> <http://10.10.10.10:13900/tools/regex_tester> (500)* >>>>>>>>> >>>>>>>>> But, when i get test on this on line tool, works fine. >>>>>>>>> >>>>>>>>> https://regex101.com/ (java script) >>>>>>>>> >>>>>>>>> Any ideas?! >>>>>>>>> Thanks. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/e7fb1f1e-4f91-4469-be24-231e39092473%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
