Re: [graylog2] Re: Extractor help - domain name only
Ok I have resolved the problem (it seems).
I created two extractors, one with the condition matches regular
expression" *GET [a-z]+://[^/]+\.([^/]+\.[^/]+)/* and the other with *GET
[a-z]+://[a-zA-Z0-9]{1,1000}.[a-zA-Z0-9]{2,4}/.*
Both under the same field name. It didn't create two of the same fields
fortunately.
Thanks again Jason!
On Friday, July 15, 2016 at 8:36:13 AM UTC+4, Zoizo wrote:
>
> Hi,
>
> I tested your second regex (what I need is the two words, facebok.com)
> and it works fine when there are three or more words, and sadly doesn't
> when there are exactly two words (http://facebook.com for example).
> Is there a way to add an alternation to the regex, like, if the first
> regex doesn't match any group, try GET [a-z]+://([^/]+)/ instead ?
> I tried this : GET [a-z]+://[^/]+\.([^/]+\.[^/]+)/ | GET [a-z]+://([^/]+)/
> but it says nothing will be extracted. I must have a made a syntax mistake
> since I haven't used that before.
>
> Thanks lots!
>
> On Thursday, July 14, 2016 at 11:33:10 AM UTC+4, Jason Haar wrote:
>>
>>
>> On Wed, Jul 13, 2016 at 10:57 PM, Zoizo wrote:
>>
>>> Well I'm a moron and forgot domain names could have more than two words
>>> too so, I'm kinda lost as to what I can do here ^^'
>>>
>>
>> Try a regex like "GET [a-z]+?://[^\.]+\.([^/]+)/"
>>
>> On "facebook.com" that would match "com". Assuming that's what you want
>> of course (I stick to "GET [a-z]+://([^/]+)/" myself)
>>
>> If you want the last two, then "GET [a-z]+://[^/]+\.([^/]+\.[^/]+)/"
>> should do that
>>
>> I know "https?" would be better - but I'm not near graylog at the moment
>> and I don't know if it's weird Java-based regex library supports that - so
>> I stuck with [a-z]+ to match "http" and "https" (and I guess "ftp" too)
>>
>>
>> --
>> Cheers
>>
>> Jason Haar
>> Information Security Manager, Trimble Navigation Ltd.
>> Phone: +1 408 481 8171
>> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/7ea553c3-0461-46d0-825e-b17ba1156f3c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Re: Extractor help - domain name only
Hi, I tested your second regex (what I need is the two words, facebok.com) and it works fine when there are three or more words, and sadly doesn't when there are exactly two words (http://facebook.com for example). Is there a way to add an alternation to the regex, like, if the first regex doesn't match any group, try GET [a-z]+://([^/]+)/ instead ? I tried this : GET [a-z]+://[^/]+\.([^/]+\.[^/]+)/ | GET [a-z]+://([^/]+)/ but it says nothing will be extracted. I must have a made a syntax mistake since I haven't used that before. Thanks lots! On Thursday, July 14, 2016 at 11:33:10 AM UTC+4, Jason Haar wrote: > > > On Wed, Jul 13, 2016 at 10:57 PM, Zoizo > wrote: > >> Well I'm a moron and forgot domain names could have more than two words >> too so, I'm kinda lost as to what I can do here ^^' >> > > Try a regex like "GET [a-z]+?://[^\.]+\.([^/]+)/" > > On "facebook.com" that would match "com". Assuming that's what you want > of course (I stick to "GET [a-z]+://([^/]+)/" myself) > > If you want the last two, then "GET [a-z]+://[^/]+\.([^/]+\.[^/]+)/" > should do that > > I know "https?" would be better - but I'm not near graylog at the moment > and I don't know if it's weird Java-based regex library supports that - so > I stuck with [a-z]+ to match "http" and "https" (and I guess "ftp" too) > > > -- > Cheers > > Jason Haar > Information Security Manager, Trimble Navigation Ltd. > Phone: +1 408 481 8171 > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/659dbe1a-9cbc-4262-b3ae-b84a4b7cfdd2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Re: Extractor help - domain name only
Hi, I tried your second regex (I need the two words, yes), and it works fine! There is one problem though, it doesn't work when there are exactly two words, because it does not find the first [^/]. How can I say in the regex that the [^/] is optionnal please ? Thanks lots. On Thursday, July 14, 2016 at 11:33:10 AM UTC+4, Jason Haar wrote: > > > On Wed, Jul 13, 2016 at 10:57 PM, Zoizo > wrote: > >> Well I'm a moron and forgot domain names could have more than two words >> too so, I'm kinda lost as to what I can do here ^^' >> > > Try a regex like "GET [a-z]+?://[^\.]+\.([^/]+)/" > > On "facebook.com" that would match "com". Assuming that's what you want > of course (I stick to "GET [a-z]+://([^/]+)/" myself) > > If you want the last two, then "GET [a-z]+://[^/]+\.([^/]+\.[^/]+)/" > should do that > > I know "https?" would be better - but I'm not near graylog at the moment > and I don't know if it's weird Java-based regex library supports that - so > I stuck with [a-z]+ to match "http" and "https" (and I guess "ftp" too) > > > -- > Cheers > > Jason Haar > Information Security Manager, Trimble Navigation Ltd. > Phone: +1 408 481 8171 > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/92dad2a2-402b-42fc-8b69-63f8f453e749%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Re: Extractor help - domain name only
Thanks a whole lot. I will try that at work tomorrow and update. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/95f31420-52d5-4364-9223-59206d5d6d5a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Re: Extractor help - domain name only
On Wed, Jul 13, 2016 at 10:57 PM, Zoizo wrote: > Well I'm a moron and forgot domain names could have more than two words > too so, I'm kinda lost as to what I can do here ^^' > Try a regex like "GET [a-z]+?://[^\.]+\.([^/]+)/" On "facebook.com" that would match "com". Assuming that's what you want of course (I stick to "GET [a-z]+://([^/]+)/" myself) If you want the last two, then "GET [a-z]+://[^/]+\.([^/]+\.[^/]+)/" should do that I know "https?" would be better - but I'm not near graylog at the moment and I don't know if it's weird Java-based regex library supports that - so I stuck with [a-z]+ to match "http" and "https" (and I guess "ftp" too) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAFChrgJLX-OvQtgu6t6M%3DSLusRU_WyhpOkDc6PA3MK_mf0v4Lg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
