I've an URL like

https://officedomain.com/CDs/ProductMarketingName/Product/Version/MartkingName_Product_Version.exe

and wrote the following query in Splunk search

index=<Server> sourcetype=<type> 
| rex field=URL_Field "http(s)?://[^/] /(?<EXE_NAME>[^/] )

But it returns me "CDs" instead of "MartkingName_Product_Version.exe"

What am I doing wrong?

CodePudding user response：

there are more than one path before you get to the EXE_NAME, but your expression only says to look for one.

change:

[^/] /

to:

([^/] /) 

or:

([^/] /)*

So that it matches as many paths as it needs to, then the last step being your EXE_NAME:

http(s)?://([^/] /) (?<EXE_NAME>[^/] )

Or you could use:

http(s)?://.*/(?<EXE_NAME>[^/] )

CodePudding user response：

This regular expression will match the last part of the URL that ends with (case-insensitive) "exe", and that ends the string:

| rex field=URL_Field "\/(?<exename>[^\/] [eExXeE]{3})$"

THe format is this: start with a front slash, then match everything that's not a front slash that ends with "exe","EXE", etc, and that is at the end of the string in question

As you mentioned in a comment to another answer, using split() can also be a good option (sometimes it's faster to break a URL with split() ... so long as you know which element in the multivalue field you need