Filtering by domain name

Hello,

On graylog filter I use : Type : THEAD AND Subtype:url AND (Action:alert OR Action:allow)

But I have to many URL like:
123/game.com
678/game.com
789/879/game.com

So in Graylog I have 3 URL instead of one!

So how can I use on filter to have only *.domain.com for each URL ?

Thank you.

how did you normalize your log messages? Maybe that can be optimized to fit better to your usecase.

Hello, Thank you for your answer.
Maybe I can optimized for yet I m not alowed to do it ^^

I just creat a regex : [a-zA-Z-]{1,}.[a-z]{2,3}(?:[$\s/\])
I do some test on regex101.com and that looks good to begin.

But how can I use it on my search bar ?

Is it possible to do : Type:THEAD AND Subtype:url AND (Action:alert OR Action:allow) AND [a-zA-Z-]{1,}\.[a-z]{2,3}(?:[$\s\/\\])

Thank you.

Apparently there are quite some gotchas involved with regexp in Graylog / Elasic.

https://www.elastic.co/guide/en/elasticsearch/guide/2.x/_wildcard_and_regexp_queries.html

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.