topic Re: How to extract the last file name from my sample string of data? in Splunk Search

How to extract the last file name from my sample string of data?

jclemons7 — Tue, 01 Sep 2015 16:07:02 GMT

Hello all,

I have the following string:

"6900   0   1024        0   0   0   0   0   0   0   C:\windows\System32\Launcher.exe    "C:\windows\System32\Launcher.exe" "C:\Folder\Link - Shortcut.lnk"  ",

And I need a way to get the very last part (e.g.. Shortcut.lnk). Normally I would use regex for this in SQL or code, but for the life of me, I can't figure out how to implement it in Splunk.

Any help is greatly appreciated..

Re: How to extract the last file name from my sample string of data?

bmacias84 — Tue, 01 Sep 2015 16:27:34 GMT

Can you provide a few more samples?

Re: How to extract the last file name from my sample string of data?

richgalloway — Tue, 01 Sep 2015 16:43:59 GMT

Splunk does regex, too. Assuming your text is already extracted, this should pull out the last part. I've made other assumptions about the characters that start and end the desired text so you may need to adjust the regex.

... | rex field=text "- (?<shortcut>[^\"]*)" | ...