0

I've an URL like

https://officedomain.com/CDs/ProductMarketingName/Product/Version/MartkingName_Product_Version.exe

and wrote the following query in Splunk search

index=<Server> sourcetype=<type> 
| rex field=URL_Field "http(s)?://[^/]+/(?<EXE_NAME>[^/]+)

But it returns me "CDs" instead of "MartkingName_Product_Version.exe"

What am I doing wrong?

warren
  • 32,620
  • 21
  • 85
  • 124
iamMobile
  • 959
  • 2
  • 17
  • 35

2 Answers2

0

there are more than one path before you get to the EXE_NAME, but your expression only says to look for one.

change:

[^/]+/

to:

([^/]+/)+

or:

([^/]+/)*

So that it matches as many paths as it needs to, then the last step being your EXE_NAME:

http(s)?://([^/]+/)+(?<EXE_NAME>[^/]+)

Or you could use:

http(s)?://.*/(?<EXE_NAME>[^/]+)
Mads Hansen
  • 63,927
  • 12
  • 112
  • 147
  • No it did not work, but what i did is ``` |eval Exe_Version=mvindex(split(URL,"/"),-1) ``` which seems to work – iamMobile Jul 29 '22 at 20:40
0

This regular expression will match the last part of the URL that ends with (case-insensitive) "exe", and that ends the string:

| rex field=URL_Field "\/(?<exename>[^\/]+[eExXeE]{3})$"

THe format is this: start with a front slash, then match everything that's not a front slash that ends with "exe","EXE", etc, and that is at the end of the string in question

As you mentioned in a comment to another answer, using split() can also be a good option (sometimes it's faster to break a URL with split() ... so long as you know which element in the multivalue field you need

warren
  • 32,620
  • 21
  • 85
  • 124