Hello again,
So I did as you and @hilo21 suggested, I used agrok filter, and separated the indicators.
The grok filter I used is:
grok {
match => { "url" => "%{URIPROTO:uri_proto}:\/\/(%{IP:destination.ip}:%{NUMBER:destination.port})?(%{URIHOST:domain})?\/%{GREEDYDATA:uri_para}" }
}
( somtimes the indicator is an IP address and port and sometimes it's URL, that why my filter looks like that)
and my rule is like that:
the only problem is that I am getting this error while creating the rule so I couldn't test if it's working correctly :
So I created a new Topic here :