Not that I know of. You may be able to accomplish something using pipeline processors as they mature a bit more.
Regards, Brandon On Friday, December 9, 2016 at 1:34:52 PM UTC-6, Martin Germano wrote: > > > BKeep, i undestand. So, to make it simple: If possible two combine two > (or more) extractors? > > Thanks. > > On Friday, December 9, 2016 at 4:13:07 PM UTC-3, BKeep wrote: >> >> While regex does allow capturing from multiple groups, I don't think >> graylog allows doing multiple group captures, at-least that's what I think >> you are asking for. If you look under the regex field when building an >> extractor there is a note "The regular expression used for extraction. >> *First >> matcher* group is used." >> >> I'm guessing here so correct me if I am wrong. Are you wanting to >> visualize the connections from ip1 =>ip2? so you are looking to extract ip1 >> and ip2 and put the results into a field? Something like connections: >> 10.10.01.10 => 210.10.10.01? if so I don't think it is possible with using >> a standard regex only. >> >> This may be helpful down the road. >> http://www.rexegg.com/regex-quickstart.html >> <http://www.google.com/url?q=http%3A%2F%2Fwww.rexegg.com%2Fregex-quickstart.html&sa=D&sntz=1&usg=AFQjCNEtSJFGCB1m5-73oq5JeoLG62W_aA> >> >> On Friday, December 9, 2016 at 11:31:43 AM UTC-6, Martin Germano wrote: >>> >>> >>> >>> Hi BKeep, i already tested the market place extrators. But i have this >>> issue: >>> i want to graph more than two values: For example dstip=* and srcip=* >>> and subtype=virus action=* >>> >>> i can't found a regular expression >>> >>> Is posible? >>> Thanks for your help >>> >>> On Thursday, December 8, 2016 at 4:45:37 PM UTC-3, BKeep wrote: >>>> >>>> I may be wrong, but that looks like a fortinet/fortigate log. Have you >>>> tried looking at the fortigate stuff available in the marketplace for some >>>> examples? >>>> >>>> >>>> https://marketplace.graylog.org/addons/a91344aa-fced-4d1a-928d-f3ded6e5a2f8 >>>> >>>> https://marketplace.graylog.org/addons/d41d3728-4722-4de6-b697-71efa579c4e2 >>>> >>>> <https://www.google.com/url?q=https%3A%2F%2Fmarketplace.graylog.org%2Faddons%2Fd41d3728-4722-4de6-b697-71efa579c4e2&sa=D&sntz=1&usg=AFQjCNH5z9m0xBo5GhbPXY1wIpaUPN1ILA> >>>> >>>> I create extractors that will run on the input where the expected logs >>>> will flow in. >>>> What I do to match the src ip is this >>>> srcip="?([0-9.]+) >>>> >>>> What I do to match the dst ip is this >>>> dstip="?([0-9.]+) >>>> >>>> Regards, >>>> Brandon >>>> >>>> On Thursday, December 8, 2016 at 1:06:59 PM UTC-6, Martin Germano wrote: >>>>> >>>>> >>>>> Maybe, ok i'll try it. Later i will post the expression if i get it. >>>>> >>>>> Thanks. >>>>> >>>>> On Thursday, December 8, 2016 at 1:58:27 PM UTC-3, Jochen Schalanda >>>>> wrote: >>>>>> >>>>>> Hi Martin, >>>>>> >>>>>> your regular expression has to work with Java's regular expression >>>>>> engine. >>>>>> >>>>>> You can use http://www.regexplanet.com/advanced/java/index.html to >>>>>> fiddle around with the regular expression and your message. >>>>>> >>>>>> Cheers, >>>>>> Jochen >>>>>> >>>>>> On Thursday, 8 December 2016 17:36:24 UTC+1, Martin Germano wrote: >>>>>>> >>>>>>> >>>>>>> Hi Jochen, for example this msg: >>>>>>> >>>>>>> "date=2016-12-07 time=17:43:01 logid=0262034961 type=utm* >>>>>>> subtype=virus* eventtype=scanerror level=notice vd="root" >>>>>>> *msg="File* reached uncompressed size limit." action=monitored >>>>>>> service=HTTP sessionid=3723464* srcip=1.1.1.1 dstip=2.2.2.2* >>>>>>> srcport=17633 dstport=80 srcintf="port1" dstintf="port2" proto=6 >>>>>>> direction=incoming filename="2017-calendar-template.zip" >>>>>>> quarskip=No-skip >>>>>>> url=" >>>>>>> http://downloadscdn3.freepik.com/d/911040/1107/1/212/2017-calendar-template.zip?ttl=1481143658&token=24b45d89f0dbd3e92d1fe274ff03cb87"; >>>>>>> >>>>>>> profile="default" user="" agent="Mozilla/5.0" >>>>>>> analyticscksum="f08144093ffdea250ba225babade9e25e5e9f399dd93bdc21fa9b5fd49efc050" >>>>>>> >>>>>>> analyticssubmit=false crscore=50 crlevel=critical" >>>>>>> >>>>>>> i put in bold letters all matches. >>>>>>> >>>>>>> Regex: >>>>>>> (srcip=)|(dstip=)|(subtype=virus)|(attack=[^\s]+)|(msg=[^\s]+)|(\d{*.}\d)|\b(?:\d{1,3}\.){3}\d{1,3} >>>>>>> >>>>>>> i use this online software: http://regexr.com/ >>>>>>> >>>>>>> >>>>>>> >>>>>>> Thanks. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Thursday, December 8, 2016 at 7:25:44 AM UTC-3, Jochen Schalanda >>>>>>> wrote: >>>>>>>> >>>>>>>> Hi Martin, >>>>>>>> >>>>>>>> which message should be matched by this regular expression and what >>>>>>>> should be the result in your opinion? >>>>>>>> >>>>>>>> It looks a bit strange to me. >>>>>>>> >>>>>>>> Cheers, >>>>>>>> Jochen >>>>>>>> >>>>>>>> On Wednesday, 7 December 2016 22:33:42 UTC+1, Martin Germano wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> Hi all, i newby on Graylog: >>>>>>>>> >>>>>>>>> I try to get works this regex: >>>>>>>>> >>>>>>>>> >>>>>>>>>> (srcip=)|(dstip=)|(subtype=virus)|(attack=[^\s]+)|(msg=[^\s]+)|(\d{*.}\d)|\b(?:\d{1,3}\.){3}\d{1,3} >>>>>>>>>> >>>>>>>>> >>>>>>>>> I get this error: >>>>>>>>> >>>>>>>>> *Could not try regular expression. Make sure that it is valid.* >>>>>>>>> >>>>>>>>> *Details: Error: cannot POST >>>>>>>>> http://10.10.10.10:13900/tools/regex_tester >>>>>>>>> <http://10.10.10.10:13900/tools/regex_tester> (500)* >>>>>>>>> >>>>>>>>> But, when i get test on this on line tool, works fine. >>>>>>>>> >>>>>>>>> https://regex101.com/ (java script) >>>>>>>>> >>>>>>>>> Any ideas?! >>>>>>>>> Thanks. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/e7fb1f1e-4f91-4469-be24-231e39092473%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
