Hey folks, sorry for asking this type of regex question yet again.
I have values like this in a field called "url":
http://8.8.8.8/file.sh
http://1.1.1.1/file2.sh
http://8.8.4.4/file3.sh
I'm trying to use rex to grab just the URI following the last " / " so I end up with a list like this:
file.sh
file2.sh
file3.sh
I was trying to accomplish this using source=cowrie url=* | rex field=uri "\/(?<url>\w+)\s" | table uri but I'm 99% sure my regular expression is wrong.
Any help would be greatly appreciated!
... View more