Suppose we wish to monitor Web server log files and we have three requirements:
(1) we do not want to see accesses from our own IPs (e.g., 18.104.22.168, 22.214.171.124, and 126.96.36.199);
(2) we do not want to see particular domains (e.g., test1.example.com, test2.example.com, and test3.example.com);
(3) we wish to see lines that contain all of "aaa", "bbb", and "ccc".
Currently, the only reasonable way to do this is to create a single big regular expression (e.g., MY_BIG_REGEXP) in "Administrator" -> "General" -> "Regular expressions" and then specify this regular expression in an item, like so:
This sometimes lacks flexibility, which is highly inconvenient. Suppose there is a file hislogfile.txt. We wish to (1) exclude IP addresses 188.8.131.52, 184.108.40.206, and 220.127.116.11 as before, (2) exclude different domains this time: demo1.example.com, demo2.example.com, and demo3.example.com, (3) see lines that contain "aaa", "bbb", and "ccc" as before. And if there is also herlogfile.txt, in which we wish to do (1) and (2) as in the second case, but instead of (3) we wish to see "xxx", "yyy", and "zzz", this leads to three big regular expressions that have a lot of duplicate information.
What would be highly cool to do, is create five regular expressions:
(1) NOT_OUR_IPS, which excludes our IP addresses;
(2) NOT_TEST_DNS, which excludes testX.example.com;
(3) NOT_DEMO_DNS, which excludes demoX.example.com;
(4) AAA_BBB_CCC for "aaa", "bbb", and "ccc";
(5) XXX_YYY_ZZZ for "xxx', "yyy", and "zzz".
We could then combine them in different ways, like so:
This is vastly more flexible and convenient than having to create big regular expressions that have duplicate information. For instance, if we get a new IP address (e.g., 18.104.22.168), we only have to add it to NOT_OUR_IPS, rather than all big regular expressions.