these are my logs and i need to grab complete .exe filenames:
1366986567.625 41 94.229.0.20 TCP_DENIED/403 1896 GET http://193.142.244.17/lxkj3824y896yursilh/5492.exe cindy@demo.com NONE/- - BLOCK_WBRS-DefaultGroup-Demo_Clients-NONE-NONE-NONE
1366984129.742 47 27.35.11.11 NONE/503 1890 GET http://topwinsystemscan.com/install/installpv.exe maximus@demo.com NONE/topwinsystemscan.com - OTHER-NONE-Demo_Clients-NONE-NONE-DefaultRouting
1366965031.191 8 203.172.197.2 TCP_DENIED/403 1866 GET http://81.174.66.128/.comete/10.exe tom@demo.com NONE/- - BLOCK_WBRS-DefaultGroup-Demo_Clients-NONE-NONE-NONE
this is my progress so far:
| rex field=_raw "http://[a-z0-9./]+(?<
Assuming you want the bit from after the slash (exclusive) to the .exe (inclusive), try something like this:
... | rex "/(?<filename>[^/]+?\.exe)"
This looks for a slash, then grabs as few non-slashes as possible until the first .exe mention. Note, this would fail if you have entries like foo/bar.exefile.something
because it would recognize bar.exe
- if you expect those cases then you can for example include the trailing space in the regular expression after the closing parenthesis.
You are very close but try this one and see if it works for you:
... | rex field=_raw "\s+http://[a-zA-Z0-9./]+\/(?
the lookahead assertion might have been causing problems. I also grabbed everything up to the last slash then the field "exe" is populated with everything that is not a period. Just a different technique but hope this works out for you.
Assuming you want the bit from after the slash (exclusive) to the .exe (inclusive), try something like this:
... | rex "/(?<filename>[^/]+?\.exe)"
This looks for a slash, then grabs as few non-slashes as possible until the first .exe mention. Note, this would fail if you have entries like foo/bar.exefile.something
because it would recognize bar.exe
- if you expect those cases then you can for example include the trailing space in the regular expression after the closing parenthesis.