Backslashes are allowed if you put the string within backtics. I've edited your question to use the right slashes.

Thank you! 🙂

See my answer below. I did answer both cases

It should be back slashes as it is a normal Windows path. I added forward slashes as it wouldn't allow back slashes (as your answer shows 🙂 )

I wasn't using quotes but even if I do, it still fails to extract the value and place it in a new field named process_name_short.

Quotes are required. The extraction failed because the regex is incorrect.

Needed three slashes as the second was cancelling out the end square bracket.

But IT WORKED!

Here's the full command that worked:

| rex field=Caller_Process_Name "(?<process_name_short>[^\\\]+$)"

This pulls out the program name part of the path and places it in a new field called process_name_short which I was able to run a stats command on to count up the different programs throwing audit fails.

Thanks everyone!

And the equivalent for Windows paths:

| rex field=Caller_Process_Name "\\\(?<process_name_short>[^\\\]+$)"

Nope neither worked. Got the error returned:

Error in 'rex' command: Encountered the following error while compiling the regex '\

this regex doesn't capture nothing... use mine 🙂

That's because I made a typo sorry:

 | rex field=Caller_Process_Name "\\\(?<process_name_short>[^\\\]+$)"

You should only have two (not three) backslashes at the beginning of the REX and in side the Brackets after the ^.

It throws an error with two, I had to use three. See the picture above.
This works:

| stats count
| eval Caller_Process_Name = "C:\Windows\System32\explorer.exe"
| rex field=Caller_Process_Name "\\\(?<process_name_short>[^\\\]+$)"

This doesn't:

| stats count
| eval Caller_Process_Name = "C:\Windows\System32\explorer.exe"
| rex field=Caller_Process_Name "\\(?<process_name_short>[^\\]+$)"

Anyway, let's focus on the actual problem and not mine's 🙂