So currently, one of my indices logs has the file path which contains the file name but doesn't have a separate file name field. Is there any way to extract the filename? For example, if c:\users\user1\desktop\file.exe is my file path, I want to see file.exe.
PS - I know there are other posts on this, but the solutions offered on those didn't work for me.
I'm going to assume that you have the full path in a field and that you are doing a search time extraction with the
rex command. Do something like this:
<your search> | rex field=path "(?P<file>[^\\\]+)$"
If you are using the
source field, then just substitute
Edited. - needed an extra backslash in the