I think the problem here is that the offending comma doesn't actually populate in the extracted field so it's not able to be rex'd out - it's interpretered as a field separator.
To give a full example of a log entry:
2016-02-11 10:01:00,Minor,PC-Name,Continue, - Caller MD5=105202dad5dd174300xxxxxxxxxxxxxx,File Delete,Begin: 2016-02-11 10:01:00,End: 2016-02-11 10:02:00,Rule: Log files written to USB drives | [AC5-1.1] Log writing to USB drives,7100,C:/Program Files (x86)/Microsoft Office/Office14/EXCEL.EXE,0,No Module Name,D:/some_directory/somefile,somemore.xls,User: MrRobot,Domain: EvilCorp,Action Type: ,File size (bytes): 500000,Device ID: USBSTOR\Disk&Ven_Verbatim&Prod_&Rev_8.00\19120xxxxxxxxx&0
So we know that between Name, and ,User, it shouldn't matter how many commas appear - everything between those two identifiers should = filename.
... View more