Hi emzed , sorry for your command i have not received an output , Attached screen shot for reference.

I tested it on artificial data and I used a field "msg" in rex command. I thing you have data in the field "_raw". 

You should use

| rex field=_raw "\w+:\s+\S+\s+(\/[^\/]+)*\/(?<filename>[^\s\/]+)"

or 

| rex "\w+:\s+\S+\s+(\/[^\/]+)*\/(?<filename>[^\s\/]+)"

note: _raw field is default field for rex command

Hi yuanliu , Thanks below provided rex command has worked and can i get any topic on provided command, Just for knowledge gain.

"READ: \S+ (/[^/]+)*/(?<filename>[^\s/]+)

Rex is about compromises.  I have to make a few assumptions based on the illustrated sample data.

1. "READ:" is perhaps a keyword and doesn't change from event to event.
2. "*MDTM" is perhaps a classifier that may take different forms but that does not contain space. (\S)
3. The path before file name is absolute, and can vary in depth. (See below.)
4. File name contains no space. ([^s])  By convention, file name also does not include a path separator. (Combined with no space, that's [^\s/])
5. After file name, there is either a space or end of the line.

The expression contains two different repetition tokens.  + means repeat at least once, up to any number of times.  * means repeat zero to unlimited times.  Parentheses in standard regex is just grouping.  So, (/[^/]+)* matches /abc, /abc/def, /abc/def/ghi; but (/[^/]+)* zero-length string, so (/[^/]+)*/ also matches /.

Hope this helps.