I am working on some http_referer analysis from my proxy logs, seems like an interesting thing to do. I want to do an additional search time field extraction and rip apart the http_referer field to provide more search functionality from the data.
Can I do something like:
transforms.conf:
REGEX = field=http_referrer ^(? \w+)://
*Yes, I realize my field name isn't the same as the RFC... haha, official misspelling 😕
I can build the whole thing out with a single line, and I am sure the hardware can handle the overhead without issue (I hope), but I'd rather have field anchor of some sort to go off of.
Am I missing something on this?
After thoughts: I can do a content match on the :// as there is nothing in the logs that should contain that combination of characters in ASCII, any colons in the URI will be in hex or something else.
Thanks.
... View more