https://community.splunk.com/t5/Splunk-Search/Regex-question/m-p/27926#M5472 <P>sourcetype="EPPWEB" source="/opt/log/*/web_server/info.log" WAT | rex field=_raw "USER (?P<REGISTRAR>[\d+-\w\w]) downloading /[^/]+/[^/]+/(?P<FILENAME>w+.w+).$" doesn't work. Even taking away the $ doesn't work either. <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></FILENAME></REGISTRAR></P> Mon, 28 Sep 2020 12:12:38 GMT gnovak 2020-09-28T12:12:38Z https://community.splunk.com/t5/Splunk-Search/Regex-question/m-p/27922#M5468 <P>I can't seem to figure this one out. I have a line in a log like this:</P> <P>2012-08-07 12:35:49,138 [http-10.40.231.33-40081-11] INFO info.mycompany.WAT.report.ReportService - USER [6913-ZZ] downloading /billing/2012/May/Statement.pdf</P> <P>And here is my splunk search with regex:</P> <P>sourcetype="EPPWEB" source="/opt/log/<EM>/web_server/info.log" WAT | rex field=_raw "USER (?P<REGISTRAR>[\d+-\w\w]) downloading /[^/]+/[^/]+/(?P<FILENAME>\w</FILENAME></REGISTRAR></EM>.\w+)+$"</P> <P>For the field "filename" i have results like ".pdf" or ".txt". I'd like to get the entire file name ....Statement.pdf</P> <P>What am I missing or not missing? </P> Mon, 28 Sep 2020 12:12:36 GMT https://community.splunk.com/t5/Splunk-Search/Regex-question/m-p/27922#M5468 gnovak 2020-09-28T12:12:36Z https://community.splunk.com/t5/Splunk-Search/Regex-question/m-p/27923#M5469 <P>Maybe (?P<FILENAME>w+\.w+). Escape the period just to make sure.</FILENAME></P> Tue, 07 Aug 2012 15:03:52 GMT https://community.splunk.com/t5/Splunk-Search/Regex-question/m-p/27923#M5469 sdaniels 2012-08-07T15:03:52Z https://community.splunk.com/t5/Splunk-Search/Regex-question/m-p/27924#M5470 <P>Try making the end look like this:<BR /> downloading /[^/]+/[^/]+/(?P<FILENAME>[\w.])$"</FILENAME></P> Tue, 07 Aug 2012 15:07:19 GMT https://community.splunk.com/t5/Splunk-Search/Regex-question/m-p/27924#M5470 christopher_hod 2012-08-07T15:07:19Z https://community.splunk.com/t5/Splunk-Search/Regex-question/m-p/27925#M5471 <P>When I take the ending + away the field "filename" isn't extracted any more.</P> Tue, 07 Aug 2012 15:08:45 GMT https://community.splunk.com/t5/Splunk-Search/Regex-question/m-p/27925#M5471 gnovak 2012-08-07T15:08:45Z https://community.splunk.com/t5/Splunk-Search/Regex-question/m-p/27926#M5472 <P>sourcetype="EPPWEB" source="/opt/log/*/web_server/info.log" WAT | rex field=_raw "USER (?P<REGISTRAR>[\d+-\w\w]) downloading /[^/]+/[^/]+/(?P<FILENAME>w+.w+).$" doesn't work. Even taking away the $ doesn't work either. <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></FILENAME></REGISTRAR></P> Mon, 28 Sep 2020 12:12:38 GMT https://community.splunk.com/t5/Splunk-Search/Regex-question/m-p/27926#M5472 gnovak 2020-09-28T12:12:38Z https://community.splunk.com/t5/Splunk-Search/Regex-question/m-p/27927#M5473 <P>rex field=_raw "USER.*/(?<FILENAME>.+?)$"</FILENAME></P> Tue, 07 Aug 2012 15:20:12 GMT https://community.splunk.com/t5/Splunk-Search/Regex-question/m-p/27927#M5473 dmaislin_splunk 2012-08-07T15:20:12Z https://community.splunk.com/t5/Splunk-Search/Regex-question/m-p/27928#M5474 <P>This actually worked. I took some of your example and added it. sourcetype="EPPWEB" source="/opt/log/<EM>/web_server/info.log" WAT | rex field=_raw "USER (?P<REGISTRAR>[\d+-\w\w]).</REGISTRAR></EM>/(?<FILENAME>.+?)$"</FILENAME></P> <P>Thanks for the help</P> Mon, 28 Sep 2020 12:12:41 GMT https://community.splunk.com/t5/Splunk-Search/Regex-question/m-p/27928#M5474 gnovak 2020-09-28T12:12:41Z https://community.splunk.com/t5/Splunk-Search/Regex-question/m-p/27929#M5475 <P>Awesomeness!</P> Tue, 07 Aug 2012 15:36:34 GMT https://community.splunk.com/t5/Splunk-Search/Regex-question/m-p/27929#M5475 dmaislin_splunk 2012-08-07T15:36:34Z