8 Replies Latest reply on Aug 15, 2013 3:09 AM by asabban

    Need user-defined log line to show the actual blocked URL string that matched a blocked HTTP request

      We have a block request in place for "bigboy-analysis.com/cgi-bin/neo3/". What I see in the event is URL Domain =  www[.]bigboy-analysis.com and URL = www[.]bigboy-analysis/cgi-bin/neo/<query string>. What I need is a field (parameter) that contains exactly the first string in the user defined log. I do not want the query string but just the portion of the URL that matched the blocked list, that is the bigboy-analysis.com/cgi/neo3 portion of the request in the user defined log. Perhaps calling the new field "blocked string" or something. Any ideas appreciated. New to the product