Hum, you still get hit with the escaping problem since you don't know how many |s to split so you have to pick something that is not going to be in the URL. I would put the url at the end anway, so if they got some odd characters into the log Your new approach is certainly safer since you won't get bitten by evaled code.

As an aside, someone else noted that you couldn't remove /etc/passwd as nobody, but remember this is a log analysis tool that will be run by some user periodically.

-ben