I have IIS logs shipping to Graylog quite nicely. I can see the source IPs and the sc-status. What I’m trying to do is create a dashboard and search query for the following conditions:
The IP is public (I have a regular expression for this already)
The sc-status is 403.*
How can I combine these two fields? Should I be running an extractor that looks for two expressions (separated by |) or is there a search query I can write?
You can put querys to the dashbord, so I think it can help for you. https://community.graylog.org/t/search-using-regex/4331/8
Or if you would like to do it at processing time, you can do it with pipelines. If your conditions are met you can put a net field on the message, and make a search for this field.