I have IIS logs shipping to Graylog quite nicely. I can see the source IPs and the sc-status. What I’m trying to do is create a dashboard and search query for the following conditions:
The IP is public (I have a regular expression for this already)
The sc-status is 403.*
How can I combine these two fields? Should I be running an extractor that looks for two expressions (separated by |) or is there a search query I can write?