Extract two fields for auditing

(charlie) #1

Hi All,

I have IIS logs shipping to Graylog quite nicely. I can see the source IPs and the sc-status. What I’m trying to do is create a dashboard and search query for the following conditions:

The IP is public (I have a regular expression for this already)
The sc-status is 403.*

How can I combine these two fields? Should I be running an extractor that looks for two expressions (separated by |) or is there a search query I can write?


You can put querys to the dashbord, so I think it can help for you.
Or if you would like to do it at processing time, you can do it with pipelines. If your conditions are met you can put a net field on the message, and make a search for this field.