That worked perfectly on a search.

To convert it to a field extraction, would this be correct?

file_path:"file_path=.*(?P[A-Z]:(\)[^\"]+)"

Use the same regex that you've in rex command.

file_path=.*(?P<filepath>[A-Z]:(\\\)[^\"]+)

Also, when you type in searches/regular expression here, select that and click on Code Sample button on the editor tool box (button on top of writing area which says 101,010), to format it so that nothing gets truncated.

Okay, did not think about that button.

Get an error when I try to paste that into the Extraction field.

"Encountered the following error while trying to update: Regex: missing closing parenthesis"

Not seeing any missing though

The windows path always causes issues due to backward slash. Try any of this

file_path=.*(?P<filepath>[A-Z]:(\\)[^\"]+)

or

file_path=.*(?P<filepath>[A-Z]:[^\"]+)

Nuts, I spoke too soon.

Seems that some entries work while some still have \?\ in them.

One that works.
rec_type=125 rec_type_simple="MALWARE EVENT" event_sec=1481920232 agent_uuid=771335d1-1070-43a5-aba6-d5d2d6eb06e7 cloud="US Cloud" type=1090519054 subtype=34 detector=SHA detection=W32.A78962E3EB-100.SBX.VIOC agent_user=ejones@ZOTECNET file_name=TBNotifier.exe file_path="C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe" sha256=a78962e3ebde2876ba49ba646207c622e7dd4e66b0222108be06b6c49de5ab22 file_size=1928776 file_type=HTML file_ts=1478726223 parent_fname="" parent_sha256="" event_description="" sensor=0 instance_id=0 connection_id=1017 connection_sec=1481920231 direction=0 src_ip=10.0.0.118 dest_ip=:: app_proto=0 agent_user=0 file_policy=00000000-0000-0000-0000-000000000000 disposition=0 retro_disposition=0 uri="" src_port=0 dest_port=0 src_ip_country=0 dest_ip_country=0 web_app=0 client_app=0 file_action=0 ip_proto=0 threat_score=0 num_ioc=0

Example of one that failed.

rec_type=125 rec_type_simple="MALWARE EVENT" event_sec=1481920232 agent_uuid=771335d1-1070-43a5-aba6-d5d2d6eb06e7 cloud="US Cloud" type=1090519054 subtype=Execute detector=SHA detection=W32.A78962E3EB-100.SBX.VIOC agent_user="SYSTEM@NT AUTHORITY" file_name=TBNotifier.exe file_path="\?\C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe" sha256=a78962e3ebde2876ba49ba646207c622e7dd4e66b0222108be06b6c49de5ab22 file_size=1928776 file_type=HTML file_ts=1478726223 parent_fname=apnmcp.exe parent_sha256=b69749726c16e54fc2ec448748dba5136c412ee5a70443b559db89406ba811cb event_description="" sensor=0 instance_id=0 connection_id=1016 connection_sec=1481920231 direction=0 src_ip=10.0.0.118 dest_ip=:: app_proto=0 agent_user=0 file_policy=00000000-0000-0000-0000-000000000000 disposition=0 retro_disposition=0 uri="" src_port=0 dest_port=0 src_ip_country=0 dest_ip_country=0 web_app=0 client_app=0 file_action=0 ip_proto=0 threat_score=0 num_ioc=0

Is it possible for one regex to do both? If not, can I have two extracts with the same name for the sourcetype?

Okay, this works perfect on a search time regex. When I try to make it a field extract, I get "Encountered the following error while trying to update: Regex: missing closing parenthesis" I do not see where one is missing.

I was pasting it into my existing file_path extract like this.

file_path=.+(?P[A-Z]:(\)[A-z0-9._\s-]+)