Splunk Search

How to extract the file name from full path using regex/rex?

jamesvz84
Communicator

I am trying to extract a file name from the entire path using rex. An example log is:

....request=http://66.228.48.137/malicious_file/2007-5659/21.exe....

I am using the following search:

index="devices-syslog-ng" | rex field=_raw "request=[^/]+(?[^\s]+)"

However, this is returning: //66.228.48.137/malicious_file/2007-5659/21.exe

How can I get it to just return 21.exe?

Tags (3)
0 Karma

musskopf
Builder

Hello,

assuming you have a "white space" after the filename, you could try:

index="devices-syslog-ng" | rex field=_raw "request=.+\/(?P<filename>.+)\s"

I've used the named extraction, so it will create a field named "filename".

Another option, if the field "request" is already been extracted you could try:

index="devices-syslog-ng" | rex field=request ".+\/(?P<filename>.+)\s"

Cheers,

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

There would not be a space at the end of the extracted field(request), so the second rex would need to be something like:

rex field=request "(?P<filename>[^/]+)$"

This also makes sure that only the last bit beyond the last slash (/) is placed in the filename.

Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...