How to extract the file name from full path using ...

jamesvz84 · ‎02-18-2015

I am trying to extract a file name from the entire path using rex. An example log is:

....request=http://66.228.48.137/malicious_file/2007-5659/21.exe....

I am using the following search:

index="devices-syslog-ng" | rex field=_raw "request=[^/]+(?[^\s]+)"

However, this is returning: //66.228.48.137/malicious_file/2007-5659/21.exe

How can I get it to just return 21.exe?

musskopf · ‎02-18-2015

Hello,

assuming you have a "white space" after the filename, you could try:

index="devices-syslog-ng" | rex field=_raw "request=.+\/(?P<filename>.+)\s"

I've used the named extraction, so it will create a field named "filename".

Another option, if the field "request" is already been extracted you could try:

index="devices-syslog-ng" | rex field=request ".+\/(?P<filename>.+)\s"

Cheers,

cpetterborg · ‎02-24-2015

There would not be a space at the end of the extracted field(request), so the second rex would need to be something like:

rex field=request "(?P<filename>[^/]+)$"

This also makes sure that only the last bit beyond the last slash (/) is placed in the filename.

How to extract the file name from full path using regex/rex?