I have a search which produces c:\folder\folder\folder\folder\file.exe as results. I want to remove all of the c:\folders so I'm only left with file.exe. Its unknown how many subfolders may exist in my search. I'm still new to regex searching so I managed to get the query I want in a simulator but I can't get splunk to produce the results.
Expression [^\\\]*$
| rex field=Filepath "(?<'Path'>[^\\\]*$)"
Any help would be appreciated
Give this a try (run anywhere sample, replace line 1 with your search)
| gentimes start=-1 | eval FilePath="c:\folder\folder\folder\folder\file.exe" | table FilePath
| rex field=FilePath "\\\(?<path>\w+\.\w+)$"
Give this a try (run anywhere sample, replace line 1 with your search)
| gentimes start=-1 | eval FilePath="c:\folder\folder\folder\folder\file.exe" | table FilePath
| rex field=FilePath "\\\(?<path>\w+\.\w+)$"