I am trying to extract a file name from the entire path using rex. An example log is:
I am using the following search:
index="devices-syslog-ng" | rex field=_raw "request=[^/]+(?[^\s]+)"
However, this is returning: //184.108.40.206/malicious_file/2007-5659/21.exe
How can I get it to just return 21.exe?
assuming you have a "white space" after the filename, you could try:
index="devices-syslog-ng" | rex field=_raw "request=.+\/(?P<filename>.+)\s"
I've used the named extraction, so it will create a field named "filename".
Another option, if the field "request" is already been extracted you could try:
index="devices-syslog-ng" | rex field=request ".+\/(?P<filename>.+)\s"
There would not be a space at the end of the extracted field(request), so the second rex would need to be something like:
rex field=request "(?P<filename>[^/]+)$"
This also makes sure that only the last bit beyond the last slash (/) is placed in the filename.