I am working on some http_referer analysis from my proxy logs, seems like an interesting thing to do. I want to do an additional search time field extraction and rip apart the http_referer field to provide more search functionality from the data.
Can I do something like:
transforms.conf: REGEX = field=http_referrer ^(?<http_referer_scheme>w+)://
*Yes, I realize my field name isn't the same as the RFC... haha, official misspelling :/
I can build the whole thing out with a single line, and I am sure the hardware can handle the overhead without issue (I hope), but I'd rather have field anchor of some sort to go off of.
Am I missing something on this?
After thoughts: I can do a content match on the :// as there is nothing in the logs that should contain that combination of characters in ASCII, any colons in the URI will be in hex or something else.
Thanks.