https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-rex-to-extract-filename-from-URI/m-p/277307#M83630 <P>Hi woodcock,</P> <P>Thank you for you speedy reply. I tried copying and pasting your solution into splunk and it doesnt return any results. </P> <PRE><CODE>...| rex field=url ".^.*\/(?&lt;filename&gt;[^\.\/]+\.(?:[^\.\/]){3,4})$" | top filename </CODE></PRE> <P>Any ideas on what I could be missing?</P> Wed, 06 Apr 2016 21:29:59 GMT jmedved 2016-04-06T21:29:59Z https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-rex-to-extract-filename-from-URI/m-p/277305#M83628 <P>I am looking for a way to extract filenames of executable files from a URL in proxy logs. The url field in my logs contain the full URL. Here are a few examples. I think we just need to capture everything past the last "/" if it contains 3 or 4 chars after the last ".". Has anyone done anything like this?</P> <PRE><CODE>url=http://www.kaco.net/download/kacotv.exe url=http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip url=https://prod308-client.redplum.com/protocol/install/P@H_prod308-1dF7CZ5x.exe url=http://download.microsoft.com/download/5/3/D/53D3880B-25F8-4714-A4AC-E463A492F96E/41212.00/Silverlight_x64.exe url=http://download.flv.com/kits/flvd/flvdownloader_setup.exe </CODE></PRE> Wed, 06 Apr 2016 20:51:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-rex-to-extract-filename-from-URI/m-p/277305#M83628 jmedved 2016-04-06T20:51:29Z https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-rex-to-extract-filename-from-URI/m-p/277306#M83629 <P>Like this:</P> <PRE><CODE>... | rex field=url "^.*\/(?&lt;programname&gt;[^\.\/]+\.(?:[^\.\/]){3,4})$" </CODE></PRE> Wed, 06 Apr 2016 21:00:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-rex-to-extract-filename-from-URI/m-p/277306#M83629 woodcock 2016-04-06T21:00:47Z https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-rex-to-extract-filename-from-URI/m-p/277307#M83630 <P>Hi woodcock,</P> <P>Thank you for you speedy reply. I tried copying and pasting your solution into splunk and it doesnt return any results. </P> <PRE><CODE>...| rex field=url ".^.*\/(?&lt;filename&gt;[^\.\/]+\.(?:[^\.\/]){3,4})$" | top filename </CODE></PRE> <P>Any ideas on what I could be missing?</P> Wed, 06 Apr 2016 21:29:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-rex-to-extract-filename-from-URI/m-p/277307#M83630 jmedved 2016-04-06T21:29:59Z https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-rex-to-extract-filename-from-URI/m-p/277308#M83631 <P>Try this run anywhere sample. This is the regex that I use for any field extraction related to URL to extract other information as well</P> <PRE><CODE>| gentimes start=-1 | eval url="http://www.kaco.net/download/kacotv.exe" | rex field=url "(?P&lt;requestedUrl&gt;(?P&lt;path&gt;\/(((?P&lt;contextRoot&gt;[^\/]+))(\S+\/)*(?P&lt;filename&gt;[^\/\?;=\s]+)([^\s]*))))" </CODE></PRE> <P>Replace "| gentimes...| eval ulr..." portion with your base search.</P> Wed, 06 Apr 2016 21:43:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-rex-to-extract-filename-from-URI/m-p/277308#M83631 somesoni2 2016-04-06T21:43:09Z https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-rex-to-extract-filename-from-URI/m-p/277309#M83632 <P>There was an extra period (".") at the start of the RegEx. I have fixed it; try again.</P> Wed, 06 Apr 2016 21:44:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-rex-to-extract-filename-from-URI/m-p/277309#M83632 woodcock 2016-04-06T21:44:32Z