Well I'm a moron and forgot domain names could have more than two words too so, I'm kinda lost as to what I can do here ^^'
On Wednesday, July 13, 2016 at 2:41:33 PM UTC+4, Zoizo wrote: > > Hello, > > I know this has been brought up a lot already but I didn't find a clear > answer. > > I have this template of log : > > pamandzi squid3: 1468405079.420 1 10.138.7.25 TCP_HIT/200 8573 GET > http://static.cedex.it.showroomprive.com/v3/0/_img/wait2.gif - NONE/- > image/gif > > And I have created 3 extractors for it : > > squid3: [0-9]{1,50}.[0-9]{1,50}[ ]{1,10}[0-9]{1,50} ([0-9.]{1,50}) => will > return the cient ip address. Works fine > > [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3} [a-zA-Z0-9.-/%:_=]{1,50} > ([0-9]{1,10}) => returns the bytes used in the request. Works fine too. > > My problem comes wit the last extractor. At the moment I have this : > > GET http://[a-zA-Z0-9-]{1,1000}.([a-zA-Z0-9-.]{1,1000}) > > My reasonning when I created this was that most URLs I saw started with > one word, then there is the domain name, and then there is all that comes > after the first / > It works fine when there is exactly one word before the domain name > (example : http://www.facebook.com), but obviously doesn't when there is > none, or more that one. > > How can I make a regex that will take only the domain name, aka the last > two things before the / ? > > Thanks a lot. > > > Ps : I know the two working reges are kinda ugly and not clean (with all > those {1,1000} etc). Please don't pay attention to that :S > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/6d1e3622-e83f-4a6a-9489-1625870a7d94%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
