I've an URL like
https://officedomain.com/CDs/ProductMarketingName/Product/Version/MartkingName_Product_Version.exe
and wrote the following query in Splunk search
index=<Server> sourcetype=<type>
| rex field=URL_Field "http(s)?://[^/]+/(?<EXE_NAME>[^/]+)
But it returns me "CDs" instead of "MartkingName_Product_Version.exe"
What am I doing wrong?
warren
On
This regular expression will match the last part of the URL that ends with (case-insensitive) "exe", and that ends the string:
| rex field=URL_Field "\/(?<exename>[^\/]+[eExXeE]{3})$"
THe format is this: start with a front slash, then match everything that's not a front slash that ends with "exe","EXE", etc, and that is at the end of the string in question
As you mentioned in a comment to another answer, using split() can also be a good option (sometimes it's faster to break a URL with split() ... so long as you know which element in the multivalue field you need
there are more than one path before you get to the EXE_NAME, but your expression only says to look for one.
change:
to:
or:
So that it matches as many paths as it needs to, then the last step being your EXE_NAME:
Or you could use: